Page MenuHomePhabricator
Create Task
Maniphest T230042

Allow multiple TOTP devices
Closed, ResolvedPublic
Actions

Description

It would be useful if a user can have multiple totp devices (along with some sort of "display name"), so they can have it on multiple phones or similar

Should be easier with the refactoring done in T218210 etc

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
TOTP: Fix logic for displaying TOTPEnableFormmediawiki/extensions/OATHAuthwmf/1.45.0-wmf.18+1 -1
TOTP: Fix logic for displaying TOTPEnableFormmediawiki/extensions/OATHAuthmaster+1 -1
Allow multiple TOTP keys to be added when OATHAllowMultipleModules=truemediawiki/extensions/OATHAuthmaster+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Aug 7 2019, 4:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 7 2019, 4:56 PM
Reedy added a comment.Aug 7 2019, 5:03 PM

I wonder if there should be a side/parent task for allowing multiple of anything (as appropriate)....

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Oct 16 2019, 3:58 PM
AntiCompositeNumber subscribed.Jan 6 2020, 9:34 PM
Paladox subscribed.Jan 6 2020, 9:39 PM
Reedy mentioned this in T242031: Allow multiple different 2FA devices.Jan 6 2020, 9:47 PM
Reedy mentioned this in T244348: Recovery option for WebAuthn.Feb 5 2020, 6:59 PM
jeblad subscribed.May 23 2020, 12:03 PM
mdaniels5757 subscribed.Aug 9 2020, 5:56 PM
Legoktm subscribed.Feb 18 2022, 9:53 AM

I am going to close this as a duplicate of T242031: Allow multiple different 2FA devices because solving that will solve this.

Legoktm closed this task as a duplicate of T242031: Allow multiple different 2FA devices.Feb 18 2022, 9:54 AM
Tgr reopened this task as Open.Jul 31 2025, 1:50 PM
Tgr subscribed.

I don't think this is a duplicate as each module is in the charge of its own management form. T242031 (which is basically done) is about supporting multiple authenticators in the shared backend and login flow, but each module still has to decide how to display multiple authenticators.

Tgr added a subtask: T242031: Allow multiple different 2FA devices.Jul 31 2025, 1:50 PM
Tgr merged a task: T395507: Support multiple TOTP tokens.Jul 31 2025, 5:33 PM
Tgr added a subscriber: A_smart_kitten.
taavi renamed this task from Allow multiple totp devices to Allow multiple TOTP devices.Jul 31 2025, 5:35 PM
Tgr added a comment.Jul 31 2025, 5:35 PM

We'd need to make a TOTPManageForm, along the lines of WebAuthnManageForm.

Tgr mentioned this in T399645: Allow multiple TOTP and security keys on Special:OATH.Jul 31 2025, 7:33 PM
Tgr mentioned this in T399649: Show enabled 2FA details on Special:AccountSecurity.Jul 31 2025, 7:35 PM
Tgr added a comment.Jul 31 2025, 7:39 PM

And introduce the concept of display names, so they can be differentiated from each other. And have some sort of a default display name (since the existing entries don't have one), maybe based on creation date.

Tgr added a project: FY2025-26 WE4.6.2 Multiple Authenticators.Aug 1 2025, 3:16 PM
waldyrious subscribed.Aug 2 2025, 1:30 PM
Mstyles closed subtask T242031: Allow multiple different 2FA devices as Resolved.Aug 20 2025, 6:56 PM
gerritbot added a comment.Sep 3 2025, 9:38 PM

Change #1184593 had a related patch set uploaded (by Catrope; author: Catrope):

[mediawiki/extensions/OATHAuth@master] Allow multiple TOTP keys to be added when OATHAllowMultipleModules=true

https://gerrit.wikimedia.org/r/1184593

gerritbot added a project: Patch-For-Review.Sep 3 2025, 9:38 PM
Catrope claimed this task.Sep 3 2025, 9:39 PM
Catrope moved this task from Backlog to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.
gerritbot added a comment.Sep 4 2025, 4:57 PM

Change #1184593 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Allow multiple TOTP keys to be added when OATHAllowMultipleModules=true

https://gerrit.wikimedia.org/r/1184593

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.18; 2025-09-09).Sep 4 2025, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 4 2025, 5:31 PM
Catrope closed this task as Resolved.Sep 5 2025, 12:58 AM

This is now allowed when $wgOATHAllowMultipleModules is set to true. For now it's set to false by default, but we'll turn this on soonish when we're ready.

waldyrious added a comment.Sep 6 2025, 9:36 PM

@Catrope great news! How can one follow that change to get notified when it happens?

Catrope added a comment.Sep 8 2025, 11:42 PM

I have created T404029: Enable multiple 2FA modules in production to track the roll-out of this feature

Reedy mentioned this in T404091: Attempting to enable TOTP gives a page with no controls.Sep 9 2025, 2:46 PM
gerritbot added a comment.Sep 9 2025, 2:48 PM

Change #1186530 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] TOTP: Fix logic for displaying TOTPEnableForm

https://gerrit.wikimedia.org/r/1186530

gerritbot added a project: Patch-For-Review.Sep 9 2025, 2:48 PM
gerritbot added a comment.Sep 9 2025, 4:35 PM

Change #1186530 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] TOTP: Fix logic for displaying TOTPEnableForm

https://gerrit.wikimedia.org/r/1186530

gerritbot added a comment.Sep 9 2025, 4:48 PM

Change #1186548 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.18] TOTP: Fix logic for displaying TOTPEnableForm

https://gerrit.wikimedia.org/r/1186548

gerritbot added a comment.Sep 9 2025, 4:59 PM

Change #1186548 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.18] TOTP: Fix logic for displaying TOTPEnableForm

https://gerrit.wikimedia.org/r/1186548

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.19; 2025-09-16); removed MW-1.45-notes (1.45.0-wmf.18; 2025-09-09).Sep 9 2025, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Sep 9 2025, 5:32 PM
Stashbot added a comment.Sep 9 2025, 6:40 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-09T18:40:54Z] <dduvall@deploy1003> Started scap sync-world: Backport for [[gerrit:1186548|TOTP: Fix logic for displaying TOTPEnableForm (T404091 T230042)]]

Stashbot added a comment.Sep 9 2025, 6:46 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-09T18:46:41Z] <dduvall@deploy1003> dduvall, reedy: Backport for [[gerrit:1186548|TOTP: Fix logic for displaying TOTPEnableForm (T404091 T230042)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Sep 9 2025, 7:09 PM

Mentioned in SAL (#wikimedia-operations) [2025-09-09T19:09:13Z] <dduvall@deploy1003> Finished scap sync-world: Backport for [[gerrit:1186548|TOTP: Fix logic for displaying TOTPEnableForm (T404091 T230042)]] (duration: 28m 18s)

rokejulianlockhart subscribed.Sep 16 2025, 3:05 PM

I don't see much point in this. Can't the user merely synchronise their TOTP key in a credential manager, like Bitwarden (and countless others) provide?

Aklapper added a comment.Sep 16 2025, 3:27 PM

I don't see much point in installing yet more software (like a credential manager) on each device only to sync between devices.

rokejulianlockhart added a comment.Sep 16 2025, 3:31 PM

@Aklapper, device loss or failure. PCI DSS V4.0 and NIST guidance recommend them for a well-documented reasons.

Reedy added a comment.Sep 16 2025, 4:06 PM

We're not handling payments, and we're trying to give users as much choice as possible. We can't force them to use magic cloud (or even setup their own local infrastructure) syncing apps.

Mstyles moved this task from In Progress to Done on the FY2025-26 WE4.6.2 Multiple Authenticators board.Sep 19 2025, 5:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits