We currently don't really have a place for logging sensitive stuff like this stuff onwiki (and then replicating to labs adds some complexity). And I don't think it should be public to the masses that a user has disabled 2FA for another user for obvious reasons

Logging was breaking 2FA due to some issues with MW config and hence reverted for the time being until it can be investigated more thoroughly

I would agree a "reason" is useful, but we need somewhere to store it (see also private log comment above)

I note this is why I've made sure it's disabled on WMF wikis until policies/procedures are in place, never mind making sure the functionality necessary is already there :)

(Maybe for another task: send an email to the registered preferences address to the user whose 2FA was disabled with details of who and why?)

Yes, file a separate task for that

@Reedy I'd create an ad hoc log for this kind of stuff, similar to Special:CheckUserLog, where only people with oathauth-disable-for-user-log could access (for example: Special:OATHLog?). The suppression log might not be the best place because we tend to log there oversighting stuff, and there will be more people than just those with oathauth-disable-for-user that could watch (even if those are still trusted people). Indeed this should not be public for obvious reasons.

Labs: similar to what happens to other logs, we should add the table to the blacklist so it's not made public to the replicas.

I'll file a separate task for the email stuff.

Are we at least logging this stuff to fluorine/logstash right now?

In T210919#4792531, @Krenair wrote:

Are we at least logging this stuff to fluorine/logstash right now?

No, because the patch was reverted

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

In T210919#4792673, @Legoktm wrote:

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

If that is possible, then sure, okay. I'd add a new right: oathauth-log (for example).

In T210919#4792673, @Legoktm wrote:

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

That sounds good, is there any chance that CU logs also use the built-in logging too? It reinvents its own logging wheel.

In T210919#4793948, @Ladsgroup wrote:

In T210919#4792673, @Legoktm wrote:

We should use Special:log like normal, but restrict it to people with whatever right (as @MarcoAurelio suggested). We already do it with the suppression log, and used to do it with the spamblacklist log.

That sounds good, is there any chance that CU logs also use the built-in logging too? It reinvents its own logging wheel.

Sounds like a separate discussion for a separate bug ;)