Page MenuHomePhabricator
Create Task
Maniphest T301992

Insert CheckUser row events during certain 2FA actions
Open, In Progress, MediumPublic
Actions

Description

It seems it could be beneficial having OATHAuth logging to CheckUser (if installed) during certain 2FA events:

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Log successful 2FA verification attempts to CheckUsermediawiki/extensions/OATHAuthmaster+120 -0
Log failed 2FA verification in CheckUsermediawiki/extensions/OATHAuthmaster+144 -7
Log self-enable of 2FA to CheckUsermediawiki/extensions/OATHAuthmaster+60 -0
Log self-disable of 2FA to CheckUsermediawiki/extensions/OATHAuthmaster+97 -0
Send log entries to CheckUsermediawiki/extensions/OATHAuthmaster+14 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Feb 17 2022, 3:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2022, 3:03 PM
Legoktm subscribed.Feb 18 2022, 7:21 AM

We don't log stuff like password change or email change to CU do we? I think 2FA should be at the same level of those. The only exception IMO is when someone else removes 2FA via the special page, where we add a log entry. I'll submit a patch for that in a few minutes.

I do think we should have MW debug logs for all the cases you mentioned with CU-like data if it's not already in place.

Legoktm added a comment.Feb 18 2022, 7:35 AM

Screenshot 2022-02-17 at 23-34-41 Check user - Trunk Test.png (114×1 px, 31 KB)

gerritbot added a comment.Feb 18 2022, 7:36 AM

Change 763654 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/OATHAuth@master] Send log entries to CheckUser

https://gerrit.wikimedia.org/r/763654

gerritbot added a project: Patch-For-Review.Feb 18 2022, 7:36 AM
Reedy added a comment.Feb 18 2022, 10:15 AM
In T301992#7720442, @Legoktm wrote:

We don't log stuff like password change or email change to CU do we? I think 2FA should be at the same level of those. The only exception IMO is when someone else removes 2FA via the special page, where we add a log entry. I'll submit a patch for that in a few minutes.

I do think we should have MW debug logs for all the cases you mentioned with CU-like data if it's not already in place.

I wonder if we should just be improving this sort of logging more generally. Maybe a bigger discussion to be had...

taavi subscribed.Feb 18 2022, 10:18 AM
Legoktm added a comment.Feb 19 2022, 6:50 AM

CUs/stews often look into account compromises, so I think it is somewhat reasonable to do so, but like Majavah said on the Gerrit patch, that is a shift from what we currently do.

If we are considering all auth-stuff, I think we should have a "account security events" log like other sites do, that track when you changed your password, email, etc. and shows it to you so you can audit your own account security. I think a framework like that belongs in core (something something E:AccountInfo!). And if we had that, I think it would be reasonable to allow trusted users including possibly CheckUsers to access it, but I don't think mixing it all in with CU makes sense.

TheresNoTime subscribed.Mar 3 2022, 12:25 AM
Zabe subscribed.Jun 19 2022, 9:26 AM
Dreamy_Jazz triaged this task as Medium priority.Jan 31 2023, 12:00 AM
Dreamy_Jazz added a subtask: T324907: Create separate tables for log events in CheckUser.Feb 16 2023, 8:35 PM
Dreamy_Jazz subscribed.EditedFeb 16 2023, 8:46 PM

Having looked at this my thoughts are:

  • There is concern about showing entries from the hidden log to users with checkuser rights
  • Having the IP, XFF and user agent associated with this log entry in Special:CheckUser is useful for compromise investigations. While the server logs can be inspected this requires someone with that right to do so which may take too long in a case of an urgent compromise check.

I agree that this would be good to have stored in the CheckUser table. One solution to the issue of showing the entries is by hiding the actiontext associated with the hidden log entry unless the user has the right to view the log. This can be done once migration in T324907 is stably set to read new as entries detailed in the task description would go into cu_log_event and store the associated logging table ID. CheckUser can then inspect the log entry to find out whether it can show it, displaying everything but the action text to the checkuser with some description about the entry being hidden because they need a right. The CheckUser can then pass the log ID that would be shown to a user with the right so they can see what the event was.

This method of hiding the actiontext for protected logs when the user does not have the right could be applied to many other actions, including the suppress log. The CheckUser would not be able to see what the log item was and only that they don't have the right to view it.

gerritbot added a comment.Jul 7 2024, 1:48 PM

Change #763654 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Send log entries to CheckUser

https://gerrit.wikimedia.org/r/763654

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.13; 2024-07-09).Jul 7 2024, 2:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 8:46 PM
Dreamy_Jazz closed subtask T324907: Create separate tables for log events in CheckUser as Resolved.Jul 24 2024, 4:44 PM
TheDJ subscribed.Feb 24 2025, 3:49 PM

If I understand correctly, the only thing we are not logging listed in the description now is enrollment right ? Do we want to close this ticket, split that off, or are we good with the current state ?

Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptFeb 24 2025, 3:49 PM
Dreamy_Jazz added a comment.EditedFeb 24 2025, 3:56 PM
In T301992#10575558, @TheDJ wrote:

If I understand correctly, the only thing we are not logging listed in the description now is enrollment right ? Do we want to close this ticket, split that off, or are we good with the current state ?

AFAIK we are currently missing:

  • Failed 2FA login attempts
  • Enrolment into 2FA

As to whether we want to split the ticket, I'm happy either way. I think we probably still want to log failed 2FA attempts to CheckUser, given that failed attempts to verify 2FA might indicate attempted account breaches where the password is known. Currently (AFAICS) the CheckUser data would only log a generic failed to login attempt, which wouldn't indicate the password used was correct (AFAIK).

Enrolment into 2FA seems less useful to log, as long as the enrolment was performed by the user themselves.

TheDJ mentioned this in T387245: Insert CheckUser row events for failed 2FA logins.Feb 25 2025, 9:05 PM
TheDJ added a comment.EditedFeb 25 2025, 9:10 PM

I think it is good to split out tickets whenever delivered functionality is spread over multiple MW releases (we probably don't do enough of that), so i made a separate ticket.

I agree enrollment is less useful indeed. However I think I have heard of attacks outside wikimedia where attackers enabled 2FA after takeover of an account. But i'm pretty sure other signals are more important and a better indication.

Dreamy_Jazz added a comment.EditedFeb 26 2025, 10:36 AM
In T301992#10580706, @TheDJ wrote:

I agree enrollment is less useful indeed. However I think I have heard of attacks outside wikimedia where attackers enabled 2FA after takeover of an account. But i'm pretty sure other signals are more important and a better indication.

If you think enrolment should be logged, then if you could file a task for it? Then we can close this out (as you have suggested).

Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.Apr 10 2025, 3:17 PM
Novem_Linguae subscribed.Apr 11 2025, 5:12 AM
Novem_Linguae updated the task description. (Show Details)Apr 11 2025, 5:16 AM
Tgr edited subtasks, added: T387245: Insert CheckUser row events for failed 2FA logins; removed: T324907: Create separate tables for log events in CheckUser.Aug 1 2025, 12:56 AM
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Sep 17 2025, 9:31 AM
kostajh subscribed.Fri, Jan 23, 11:25 AM

We don't seem to show in the "login" action if 2FA was used.

kostajh updated the task description. (Show Details)Fri, Jan 23, 11:25 AM
Dreamy_Jazz updated the task description. (Show Details)Fri, Jan 23, 1:54 PM
Catrope assigned this task to mmartorana.Tue, Jan 27, 1:13 AM
mmartorana changed the task status from Open to In Progress.Tue, Jan 27, 4:02 PM
mmartorana updated the task description. (Show Details)Tue, Feb 3, 4:24 PM
mmartorana updated the task description. (Show Details)Tue, Feb 3, 4:32 PM
gerritbot added a comment.Tue, Feb 3, 5:30 PM

Change #1236343 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/OATHAuth@master] Add logging for self-disabling 2FA

https://gerrit.wikimedia.org/r/1236343

gerritbot added a project: Patch-For-Review.Tue, Feb 3, 5:30 PM
gerritbot added a comment.Wed, Feb 4, 8:46 PM

Change #1236343 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Log self-disable of 2FA to CheckUser

https://gerrit.wikimedia.org/r/1236343

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.15; 2026-02-10).Wed, Feb 4, 9:00 PM
Maintenance_bot removed a project: Patch-For-Review.Wed, Feb 4, 9:31 PM
mmartorana updated the task description. (Show Details)Thu, Feb 5, 2:48 PM
mmartorana added a project: Security-Team.Thu, Feb 5, 5:56 PM
mmartorana moved this task from Incoming to In Progress on the Security-Team board.
gerritbot added a comment.Thu, Feb 5, 6:57 PM

Change #1237297 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/OATHAuth@master] Log self-enable of 2FA to CheckUser

https://gerrit.wikimedia.org/r/1237297

gerritbot added a project: Patch-For-Review.Thu, Feb 5, 6:57 PM
gerritbot added a comment.Thu, Feb 5, 9:29 PM

Change #1237297 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Log self-enable of 2FA to CheckUser

https://gerrit.wikimedia.org/r/1237297

Maintenance_bot removed a project: Patch-For-Review.Thu, Feb 5, 9:30 PM
mmartorana updated the task description. (Show Details)Fri, Feb 6, 2:44 PM
gerritbot added a comment.Fri, Feb 6, 5:20 PM

Change #1237538 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/OATHAuth@master] Log failed 2FA verification in CheckUser

https://gerrit.wikimedia.org/r/1237538

gerritbot added a project: Patch-For-Review.Fri, Feb 6, 5:20 PM
gerritbot added a comment.Tue, Feb 10, 6:48 PM

Change #1237538 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Log failed 2FA verification in CheckUser

https://gerrit.wikimedia.org/r/1237538

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.16; 2026-02-17); removed MW-1.46-notes (1.46.0-wmf.15; 2026-02-10).Tue, Feb 10, 7:00 PM
mmartorana updated the task description. (Show Details)Tue, Feb 10, 7:04 PM
Maintenance_bot removed a project: Patch-For-Review.Tue, Feb 10, 7:30 PM
gerritbot added a comment.Wed, Feb 11, 5:49 PM

Change #1238788 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/OATHAuth@master] Log successful 2FA verification attempts to CheckUser

https://gerrit.wikimedia.org/r/1238788

gerritbot added a project: Patch-For-Review.Wed, Feb 11, 5:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits