Page MenuHomePhabricator

Authentication changes
Open, Needs TriagePublic

Description

Instructions

  1. Define the problem or opportunity (WHAT).
  2. Outline the importance of addressing the problem or opportunity (WHY).

What?

Write your problem statement using layperson's terminology.
In one sentence, what is the problem or opportunity?

Netflix Problem Statement Example: Going to the video store requires fighting traffic, wandering the aisles, and waiting in long lines just to get a single movie.

  • We must begin addressing long running technical debt for key security-enabling capabilities such as authentication, authorization, and countermeasures against attacks on our platform.
  • Current authentication model lacks key capabilities and is something of a barrier to modern product development

What does the future look like if this is achieved?

  • This is part 1 of a few parts to help identify and mature security capabilities and countermeasures on our platform. If we are able to do this we will be able to deploy a suite of security features and countermeasures and maintain as you would any other product.
  • Ideally, we would be able to bake in best practice authentication capabilities and features, have centralized management for credentialing, maintenance, logging and response.

What happens if we do nothing?

  • Right now we have real issues with how authentication will work with our api gateway, and across various other projects. We need to fix this so these and other projects can progress. If we do nothing these projects, and other projects will need to re-invent the wheel to be successful

Why?

Identify the value(s) this problem/opportunity provides. Add links to relevant OKRs.
Rank values in order of importance and be explicit about who this benefits and where the value is.

User Value/Organization Value AND Objective it supports and How
As our movement, platform, and product evolve and expand, our security and privacy capabilities need to not only keep pace but become more resilient, scalable, and progressive. To that end, and in alignment with our movement strategy and the following areas:

Safety & Security
Resilience
Improving User Experience
Improving Community Health

These are collaborative, cross-departmental efforts with Security, Privacy, Product, Legal, Trust & Safety, and Human Rights teams who are all seeking to collaborate on a long running initiative to improve Foundation and enhance security and privacy capabilities over the next two years.

As the reach of the free knowledge movement expands, so will our threats, risks, and vulnerabilities. We will face and need to adapt to new and challenging adversaries. Our ability to provide and scale robust security and privacy solutions is critical to ensuring a safe and equitable space for free knowledge to thrive. For us to be able to reach our objectives, we will need to provide secure and private spaces to consume and contribute knowledge, equitable access to these spaces, and protection for individuals participating in the movement.

We must begin addressing long running technical debt for key security-enabling capabilities such as authentication, authorization, and countermeasures against attacks on our platform. We will need to expand our ability to create, share, and consume intelligence on threats targeting our users and platform, and work collectively to protect our platform and the movement. For example:Our CAPTCHA actively hinders contributors who are visually impaired or use non-latin scripts, while being better at keeping good faith humans out than malign spam bots;
Our 2FA has severe technical limitations that restrict its deployment to administrative roles in the community regardless of risks users face, while also requiring a heavy technical setup that make it unaffordable for low connectivity areas—especially in emerging markets;
Sensitive technical developer accounts, with access to personal information across the platform that can do irreversible harm, do not have even basic 2FA protection; and
The underlying authentication infrastructure is a barrier for modern product development across Foundation priorities.

Why are you bringing this decision to the Technical Forum?
What about the scope of this problem led you and your team to seek input across departments/organizations?

  • Struggles with solving authentication/authorization problems across various projects, and loads of various security incidents, lack of mature capabilities.
  • -

Event Timeline

JBennett renamed this task from {Name the Problem/Opportunity} to Authentication changes.Mar 24 2022, 1:27 PM

@JBennett: This sounds related to (non-public) T297791. Should they be connected (subtask/parent task, or such)?

@JBennett: This sounds related to (non-public) T297791. Should they be connected (subtask/parent task, or such)?

As a side comment: does that task need to be restricted?

This feels a bit like its lacking a problem statement. The task description is so vauge it basically amounts to "we need to do the thingy because we need to do the thingy"

@TAdeleye_WMF: Is there still sense in keeping this ticket open and assigned to you, or can this be closed as resolved/invalid?