Page MenuHomePhabricator
Create Task
Maniphest T232336

Separate recovery codes into a separate 2FA module
Closed, ResolvedPublic
Actions

Description

We should separate the Recovery codes from OATHAuth into a separate MFA authentication module and detach if from the TOTP method as WebAuthn does not have a (self) recovery method of its own.

See also: T218214#5474912

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add maintenance script to migrate recovery tokens to their own devicemediawiki/extensions/OATHAuthmaster+183 -0
Add maintenance script to migrate recovery tokens to their own devicemediawiki/extensions/OATHAuthwmf/1.45.0-wmf.24+183 -0
Add maintenance script to migrate recovery tokens to their own devicemediawiki/extensions/OATHAuthwmf/1.45.0-wmf.23+183 -0
Separate recovery codes into a separate 2FA modulemediawiki/extensions/OATHAuthmaster+1 K -217
Add Recovery Codes support to WebAuthn add key pagemediawiki/extensions/WebAuthnmaster+76 -14
Define isSpecial() for WebAuthn modulemediawiki/extensions/WebAuthnmaster+5 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
FozzieHey subscribed.Aug 9 2020, 12:57 PM
mdaniels5757 subscribed.Aug 9 2020, 5:55 PM
Stang subscribed.Jan 7 2022, 11:02 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Feb 17 2022, 3:36 PM
Legoktm mentioned this in T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB.Feb 18 2022, 8:59 AM
Legoktm added a subtask: T242031: Allow multiple different 2FA devices.Feb 18 2022, 9:54 AM
Legoktm added a parent task: T150601: Add option to generate new set of recovery codes.Feb 18 2022, 10:00 AM
Xaosflux subscribed.Feb 18 2022, 10:48 AM
deryckchan awarded a token.Feb 18 2022, 11:04 AM
Dringsim subscribed.Sep 24 2023, 1:04 PM
Reedy renamed this task from Separate recovery codes into a separate MFA method to Separate scratch/recovery codes into a separate MFA method.Dec 6 2023, 12:39 PM
Reedy mentioned this in T352855: Factor scratch tokens into own 2FA method.
Reedy merged a task: T352855: Factor scratch tokens into own 2FA method.
Reedy added a parent task: T244348: Recovery option for WebAuthn.
Reedy added a parent task: T352856: Recovery code improvements.Dec 6 2023, 12:44 PM
Reedy moved this task from User Experience to New 2FA Methods on the MediaWiki-extensions-OATHAuth board.
Reedy renamed this task from Separate scratch/recovery codes into a separate MFA method to Separate recovery codes into a separate MFA method.Jan 1 2024, 8:54 PM
Reedy updated the task description. (Show Details)
taavi added a parent task: T356004: Help password managers to detect TOTP login input.Apr 20 2024, 10:22 AM
Reedy mentioned this in T245027: Enable downloading recovery codes for two-factor (TOTP).May 14 2024, 5:17 PM
Tol subscribed.Jun 25 2024, 10:13 PM
Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Apr 12 2025, 3:49 PM
Tgr mentioned this in T151738: OATH code field should show numeric keyboard on mobile devices.Jul 8 2025, 10:24 PM
Catrope mentioned this in T399665: Restrict WebAuthn to hardware security keys only.Jul 16 2025, 4:53 PM
sbassett mentioned this in T399959: Assess and review existing tasks and patches related to supporting WE 4.6.2 2fa Multiple Authenticators work.Jul 18 2025, 2:19 PM
Catrope added a project: FY2025-26 WE4.6.2 Multiple Authenticators.Jul 18 2025, 5:40 PM
sbassett added a parent task: T399651: Separate recovery codes into a separate module.Jul 22 2025, 5:24 PM
Tgr added a parent task: T151738: OATH code field should show numeric keyboard on mobile devices.Jul 26 2025, 5:49 PM
Tgr mentioned this in T399651: Separate recovery codes into a separate module.Jul 31 2025, 1:51 PM
sbassett closed this task as a duplicate of T399651: Separate recovery codes into a separate module.Jul 31 2025, 2:42 PM
Tgr reopened this task as Open.Jul 31 2025, 4:48 PM
Tgr subscribed.

Let's do it in the other way, this has so many child/parent tasks, seems like a chore to move them.

Tgr renamed this task from Separate recovery codes into a separate MFA method to Separate recovery codes into a separate 2FA module.Jul 31 2025, 4:49 PM
Tgr merged a task: T399651: Separate recovery codes into a separate module.
Tgr edited parent tasks, added: T399644: FY2025-26 WE4.6.2 Multiple Authenticators; removed: T399651: Separate recovery codes into a separate module.
Tgr added subscribers: sbassett, Mstyles, TAdeleye_WMF.
Tgr added a comment.Jul 31 2025, 5:27 PM

So this needs:

  • a new 2FA module in OATHAuth
  • making the backup code part of the TOTP UI optional (both for setup and for verification)
  • some sort of workflow for ensuring that generating backup codes is still integrated with the TOTP setup flow (and presumably it would also integrate them with the WebAuthn setup flow)
  • a feature flag for switching from generating as part of TOTP setup to generating via this new workflow
  • a migration script that copies codes from existing TOTP records into separate DB rows, to be run once the feature flag was switched
Tgr mentioned this in T399654: Ensure Mobile Apps are supported with 2FA changes.Jul 31 2025, 7:28 PM
Tgr mentioned this in T158153: Consider changing recovery codes to use six digits.Aug 1 2025, 12:32 AM
Tgr added a comment.Aug 1 2025, 12:42 AM

Do we want to fix the recovery code part of T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB as part of this?

Tgr mentioned this in T399664: Expand 2FA Opt-In Privileges.Aug 1 2025, 9:25 AM
Tgr mentioned this in T399653: Inform users about recovery codes.Aug 1 2025, 4:00 PM
Catrope mentioned this in T401776: Display recovery codes when setting up the user's first 2FA method, regardless of type.Aug 13 2025, 5:24 AM
Catrope assigned this task to sbassett.Aug 19 2025, 4:13 PM
Catrope moved this task from Backlog to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.Aug 19 2025, 4:23 PM
Catrope added a subtask: T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB.Aug 19 2025, 4:29 PM
Catrope subscribed.Aug 19 2025, 9:43 PM
In T232336#11052658, @Tgr wrote:

Do we want to fix the recovery code part of T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB as part of this?

Yes, I think that's a good idea, that way the data only needs to be migrated once.

Mstyles closed subtask T242031: Allow multiple different 2FA devices as Resolved.Aug 20 2025, 6:56 PM
ReaperDawn subscribed.Aug 28 2025, 5:51 AM
gerritbot added a comment.Aug 29 2025, 12:08 AM

Change #1182964 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/OATHAuth@master] Separate recovery codes into a separate 2FA module

https://gerrit.wikimedia.org/r/1182964

gerritbot added a project: Patch-For-Review.Aug 29 2025, 12:08 AM
sbassett closed subtask T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB as Resolved.Sep 10 2025, 8:20 PM
Bugreporter mentioned this in T404268: Warn users before they delete their last 2FA key.Sep 11 2025, 7:45 AM
PatchDemoBot added a comment.Sep 12 2025, 3:47 PM

Test wiki created on Patch demo by SBassett (WMF) using patch(es) linked to this task:
https://b72e3e9d3e.catalyst.wmcloud.org/w/

gerritbot added a comment.Sep 12 2025, 6:03 PM

Change #1187874 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/WebAuthn@master] Define isSpecial() for WebAuthn module

https://gerrit.wikimedia.org/r/1187874

PatchDemoBot added a comment.Sep 15 2025, 2:36 PM

Test wiki on Patch demo by SBassett (WMF) using patch(es) linked to this task was deleted:

https://b72e3e9d3e.catalyst.wmcloud.org/w/

PatchDemoBot added a comment.Sep 15 2025, 3:03 PM

Test wiki created on Patch demo by SBassett (WMF) using patch(es) linked to this task:
https://74054e2b29.catalyst.wmcloud.org/w/

PatchDemoBot added a comment.Sep 15 2025, 3:26 PM

Test wiki on Patch demo by SBassett (WMF) using patch(es) linked to this task was deleted:

https://74054e2b29.catalyst.wmcloud.org/w/

gerritbot added a comment.Sep 15 2025, 5:14 PM

Change #1187874 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Define isSpecial() for WebAuthn module

https://gerrit.wikimedia.org/r/1187874

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.19; 2025-09-16).Sep 15 2025, 6:01 PM
PatchDemoBot added a comment.Sep 15 2025, 7:01 PM

Test wiki created on Patch demo by SBassett (WMF) using patch(es) linked to this task:
https://a0f99dc0d8.catalyst.wmcloud.org/w/

PatchDemoBot added a comment.Sep 16 2025, 7:27 PM

Test wiki on Patch demo by SBassett (WMF) using patch(es) linked to this task was deleted:

https://a0f99dc0d8.catalyst.wmcloud.org/w/

sbassett added a project: user-sbassett.Sep 19 2025, 10:02 PM
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett mentioned this in T399649: Show enabled 2FA details on Special:AccountSecurity.Sep 19 2025, 10:12 PM
sbassett mentioned this in T399652: Allow Auth factors to be deleted easily.
gerritbot added a comment.Sep 24 2025, 9:53 PM

Change #1191180 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/WebAuthn@master] Add Recovery Codes support to WebAuthn add key page

https://gerrit.wikimedia.org/r/1191180

gerritbot added a comment.Sep 25 2025, 12:57 PM

Change #1191390 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Add maintenance script to migrate recovery tokens to their own device

https://gerrit.wikimedia.org/r/1191390

Reedy mentioned this in T405870: Inconsistencies in layout etc in WebAuthn vs TOTP enabling.Sep 29 2025, 8:02 AM
Reedy mentioned this in T405872: Tell users disabling last 2FA removes recovery codes.Sep 29 2025, 8:05 AM
Reedy mentioned this in T405873: Recovery options doesn't show existing Recovery Codes.Sep 29 2025, 8:11 AM
dom_walden mentioned this in T406108: Incorrect recovery code shown when adding authenticator app as first 2FA method.Oct 1 2025, 9:28 AM
gerritbot added a comment.Oct 3 2025, 7:19 PM

Change #1182964 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Separate recovery codes into a separate 2FA module

https://gerrit.wikimedia.org/r/1182964

gerritbot added a comment.Oct 3 2025, 7:23 PM

Change #1191180 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Add Recovery Codes support to WebAuthn add key page

https://gerrit.wikimedia.org/r/1191180

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.22; 2025-10-07); removed MW-1.45-notes (1.45.0-wmf.19; 2025-09-16).Oct 3 2025, 8:00 PM
Reedy mentioned this in T406385: Disabling last 2FA suggests you still have a 2FA device left enabled.Oct 3 2025, 8:09 PM
sbassett closed this task as Resolved.Oct 3 2025, 8:38 PM
sbassett moved this task from In Progress to Done on the FY2025-26 WE4.6.2 Multiple Authenticators board.
sbassett removed a project: Patch-For-Review.
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett mentioned this in T150601: Add option to generate new set of recovery codes.Oct 3 2025, 8:50 PM
TheDJ added a comment.Oct 6 2025, 2:03 PM

Just noting here that @Tgr made some additional review comments on change https://gerrit.wikimedia.org/r/1182964 after the merge

sbassett added a comment.Oct 6 2025, 3:15 PM
In T232336#11246216, @TheDJ wrote:

Just noting here that @Tgr made some additional review comments on change https://gerrit.wikimedia.org/r/1182964 after the merge

Thanks. There are going to be several cleanup-related tasks for this work that we hope to resolve within the near future, largely due to the clunky, dual-state of handling older TOTP-attached scratch tokens and the newer recovery codes. Eventually, we plan to migrate all Wikimedia project users with existing TOTP/scratch tokens to TOTP and separate recovery codes. Anyhow, I'll file a separate bug now to track the handful of recommendations @Tgr made on the change set.

sbassett mentioned this in T406501: OATHAuth Recovery Code code improvement suggestions.Oct 6 2025, 3:37 PM
Reedy mentioned this in T406953: Don't save scratch_tokens if empty array (like they are on new TOTP rows).Oct 10 2025, 12:21 AM
Stang unsubscribed.Oct 14 2025, 1:22 PM
gerritbot added a comment.Oct 22 2025, 10:06 PM

Change #1191390 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add maintenance script to migrate recovery tokens to their own device

https://gerrit.wikimedia.org/r/1191390

gerritbot added a comment.Oct 22 2025, 10:07 PM

Change #1198162 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.24] Add maintenance script to migrate recovery tokens to their own device

https://gerrit.wikimedia.org/r/1198162

gerritbot added a project: Patch-For-Review.Oct 22 2025, 10:07 PM

Change #1198163 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.23] Add maintenance script to migrate recovery tokens to their own device

https://gerrit.wikimedia.org/r/1198163

gerritbot added a comment.Oct 22 2025, 10:15 PM

Change #1198162 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.24] Add maintenance script to migrate recovery tokens to their own device

https://gerrit.wikimedia.org/r/1198162

gerritbot added a comment.Oct 22 2025, 10:15 PM

Change #1198163 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.23] Add maintenance script to migrate recovery tokens to their own device

https://gerrit.wikimedia.org/r/1198163

Maintenance_bot removed a project: Patch-For-Review.Oct 22 2025, 10:31 PM
ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.25; 2025-10-28); removed MW-1.45-notes (1.45.0-wmf.22; 2025-10-07).Oct 22 2025, 11:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits