Page MenuHomePhabricator

More safety codes for 2FA
Closed, ResolvedPublic

Description

As per T199118, it would be nice if the number of safety codes provided could be expanded from the default 5 to something like 10 or so like what Google provides.

Additionally, it would be preferable if there was a way for the user to find out how many (and which if possible) codes are left.

Details

Related Gerrit Patches:
mediawiki/extensions/OATHAuth : masterGive users 10 scratch tokens

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 12 2018, 11:13 PM
Reedy added a subscriber: Reedy.Dec 12 2018, 11:32 PM

Additionally, it would be preferable if there was a way for the user to find out how many (and which if possible) codes are left.

How many has some use, but it's limited. Showing them again is a grey area

Looks like we should be able to do more scratch tokens without changing the field length (lots of spare space atm)

Change 479356 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OATHAuth@master] Give 10 users 10 scratch tokens

https://gerrit.wikimedia.org/r/479356

Huji added a subscriber: Huji.Dec 12 2018, 11:38 PM

Additionally, it would be preferable if there was a way for the user to find out how many (and which if possible) codes are left.

How many has some use, but it's limited. Showing them again is a grey area
Looks like we should be able to do more scratch tokens without changing the field length (lots of spare space atm)

Showing them again is not even "grey" area to me; it is an absolute no. The other two things are reasonable though.

Additionally, it would be preferable if there was a way for the user to find out how many (and which if possible) codes are left.

How many has some use, but it's limited. Showing them again is a grey area
Looks like we should be able to do more scratch tokens without changing the field length (lots of spare space atm)

Showing them again is not even "grey" area to me; it is an absolute no. The other two things are reasonable though.

Some sites do it. Some don't. I haven't seen (or looked too hard) to see what the best practices say

T131788: Users should be notified when only two scratch tokens are left is partially that part of it. I'm not sure how/where we should potentially display this number

Huji added a comment.Dec 13 2018, 12:17 AM

I think T131788 should create Notifications which can be displayed in wiki and/or sent to email (like any other notification).

As for the current task, I think it should be shown in Special:Preferences in the same line in which the 2FA button is currently located.

10 should be good I guess. GitHub for example offered me 16 IIRC. But I agree 5 are too few when we require two in some cases. Thanks.

Change 479356 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Give users 10 scratch tokens

https://gerrit.wikimedia.org/r/479356

Reedy updated the task description. (Show Details)
Leaderboard closed this task as Resolved.Feb 28 2019, 10:07 PM
Leaderboard claimed this task.

It appears to be live now. 10 scratch codes should now be available.

Reedy renamed this task from More safety codes for 2FA and ability to see which are used to More safety codes for 2FA.Feb 28 2019, 10:16 PM