Page MenuHomePhabricator
Create Task
Maniphest T243247

Need to force users to reset their phabricator TOTP auth factor
Closed, ResolvedPublicSecurity
Actions

Assigned To
mmodell
Authored By
mmodell
Jan 20 2020, 10:01 PM
Tags
Referenced Files
F31520084: Screenshot from 2020-01-21 15-23-52.png
Jan 21 2020, 9:26 PM
F31520077: Screenshot from 2020-01-21 15-17-07.png
Jan 21 2020, 9:26 PM
F31518554: Screenshot from 2020-01-20 15-55-32.png
Jan 20 2020, 10:01 PM
Subscribers
Aklapper
akosiaris
ArielGlenn
chasemp
Dsharpe
greg
Jcross
View All 11 Subscribers

Description

For users who have multifactor auth set up prior to August of 2019, we need to force them to create a new auth factor / delete the old one.

To do this, the proposal is to redirect them to the settings page and provide instructions on how reset their second factor.

When an affected user logs in, I've modified the multifactor prompt to display a warning:

Screenshot from 2020-01-21 15-23-52.png (616×1 px, 46 KB)

After completing the TOTP prompt, the user will be redirected to the multifactor configuration settings UI, which should look something like this:

Screenshot from 2020-01-21 15-17-07.png (632×1 px, 88 KB)

Details

Author Affiliation
WMF Technology Dept

Event Timeline

mmodell created this task.Jan 20 2020, 10:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 20 2020, 10:01 PM
Urbanecm subscribed.Jan 20 2020, 10:07 PM

Why do we need that, if I may ask?

MarcoAurelio subscribed.EditedJan 20 2020, 10:11 PM
In T243247#5818220, @Urbanecm wrote:

Why do we need that, if I may ask?

@Urbanecm I suspect it's related to [[ https://lists.wikimedia.org/pipermail/wikitech-l/2020-January/092960.html | [Wikitech-l] 14 January 2020 security incident on Phabricator ]] & Blog Post: 14 January 2020 security incident on Phabricator.

@mmodell Is disabling and enabling MFA enough? If so, I can do it now instead of waiting for the workarounds, etc. Thanks.

Dsharpe added a comment.Jan 20 2020, 10:32 PM

@MarcoAurelio Yes, you can do it on your own manually. The best way seems to be to first create a third auth factor in Phab, then delete the old one in Phab. If you leave both there, you will have 3FA and have to use both until the old one is removed. And please don't remove anything from your phone's authenticator app until you after are done in Phab.

And yes, this is being done as a purely precautionary measure related to the Wikitech-l message referenced above and the associated blog post .

MarcoAurelio added a comment.Jan 20 2020, 10:51 PM
This comment was removed by MarcoAurelio.
greg assigned this task to mmodell.Jan 21 2020, 4:51 PM
greg triaged this task as High priority.
greg added projects: Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)), Release-Engineering-Team (Development services).
mmodell updated the task description. (Show Details)Jan 21 2020, 9:26 PM
mmodell added a comment.Jan 21 2020, 9:34 PM

Ok so I've got everything ready to deploy. Should I request a dedicated deployment window for this?

Dsharpe added a comment.Jan 22 2020, 1:56 AM

I would suggest stepping around/over All Hands, in case anything goes wrong.

chasemp moved this task from Incoming to Watching on the Security-Team board.Jan 22 2020, 4:43 PM
mmodell added a comment.Jan 22 2020, 6:10 PM

@Dsharpe I was planning to deploy this today along with a lot of other stuff that's been backing up in my undeployed queue. Do you really think it should wait for ~2 weeks?

mmodell added a project: Phabricator.Jan 22 2020, 6:11 PM
Dsharpe added a comment.Jan 22 2020, 6:14 PM

Your planned schedule is far better. I just didn't want to rush anyone.

mmodell moved this task from INBOX to New Work on the Release-Engineering-Team-TODO (2020-01 to 2020-03 (Q3)) board.Jan 22 2020, 6:17 PM
mmodell closed this task as Resolved by committing rPHAB2785d6a8b210: WMF Hack: Prompt to replace auth factors from before August 2019.Jan 23 2020, 1:10 AM
mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 23 2020, 4:53 PM
mmodell changed the edit policy from "Custom Policy" to "All Users".
mmodell edited projects, added Phabricator (2020-01-23); removed Phabricator.Jan 23 2020, 5:06 PM
Tgr subscribed.Jan 24 2020, 5:45 PM

Should the affected accounts be logged out? Phab sessions are long-lived so a login change might not have much immediate effect otherwise.

chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL