Page MenuHomePhabricator

Need to force users to reset their phabricator TOTP auth factor
Closed, ResolvedPublicSecurity

Description

For users who have multifactor auth set up prior to August of 2019, we need to force them to create a new auth factor / delete the old one.

To do this, the proposal is to redirect them to the settings page and provide instructions on how reset their second factor.

When an affected user logs in, I've modified the multifactor prompt to display a warning:

After completing the TOTP prompt, the user will be redirected to the multifactor configuration settings UI, which should look something like this:

Details

Author Affiliation
WMF Technology Dept

Event Timeline

mmodell created this task.Mon, Jan 20, 10:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMon, Jan 20, 10:01 PM

Why do we need that, if I may ask?

Why do we need that, if I may ask?

@Urbanecm I suspect it's related to [Wikitech-l] 14 January 2020 security incident on Phabricator & Blog Post: 14 January 2020 security incident on Phabricator.

@mmodell Is disabling and enabling MFA enough? If so, I can do it now instead of waiting for the workarounds, etc. Thanks.

@MarcoAurelio Yes, you can do it on your own manually. The best way seems to be to first create a third auth factor in Phab, then delete the old one in Phab. If you leave both there, you will have 3FA and have to use both until the old one is removed. And please don't remove anything from your phone's authenticator app until you after are done in Phab.

And yes, this is being done as a purely precautionary measure related to the Wikitech-l message referenced above and the associated blog post .

This comment was removed by MarcoAurelio.
mmodell updated the task description. (Show Details)Tue, Jan 21, 9:26 PM

Ok so I've got everything ready to deploy. Should I request a dedicated deployment window for this?

I would suggest stepping around/over All Hands, in case anything goes wrong.

chasemp moved this task from Incoming to Watching on the Security-Team board.Wed, Jan 22, 4:43 PM

@Dsharpe I was planning to deploy this today along with a lot of other stuff that's been backing up in my undeployed queue. Do you really think it should wait for ~2 weeks?

Your planned schedule is far better. I just didn't want to rush anyone.

mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".Thu, Jan 23, 4:53 PM
mmodell changed the edit policy from "Custom Policy" to "All Users".
Tgr added a subscriber: Tgr.Fri, Jan 24, 5:45 PM

Should the affected accounts be logged out? Phab sessions are long-lived so a login change might not have much immediate effect otherwise.