Page MenuHomePhabricator
Create Task
Maniphest T353962

Add new notifications for additional 2FA being enabled/disabled
Open, Needs TriagePublic
Actions

Description

We currently have notifications for 2FA being enabled/disabled, but we should have distinct notifications for when 2FA is already enabled, and another 2FA method is enabled. Possibly telling the user how many different ones are enabled.

Similarly, when one is disabled (but there's still >1 enabled), show a notification to let the user know that a specific method has been disabled.

Following on the multi factor work, and similar to T404268: Warn users before they delete their last 2FA key; we should probably push the user a notification if they continue to disable the last 2FA, rather than just a popup during that workflow.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
notifications: Show number of remaining devicesmediawiki/extensions/OATHAuthmaster+26 -2
notifications: Store number of keys in notification datamediawiki/extensions/OATHAuthmaster+6 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Dec 22 2023, 6:04 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptDec 22 2023, 6:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy renamed this task from Add new notifications for additional 2FA to Add new notifications for additional 2FA being enabled/disabled.Dec 22 2023, 6:05 PM
Reedy moved this task from Backlog to External on the Notifications (Echo) board.
Reedy added a parent task: T125653: Create new types of notifications.
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Dec 22 2023, 7:05 PM
taavi claimed this task.Dec 25 2023, 11:21 AM
gerritbot added a comment.Dec 25 2023, 12:00 PM

Change 985617 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/OATHAuth@master] notifications: Store number of keys in notification data

https://gerrit.wikimedia.org/r/985617

gerritbot added a project: Patch-For-Review.Dec 25 2023, 12:00 PM

Change 985618 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/OATHAuth@master] notifications: Show number of remaining devices

https://gerrit.wikimedia.org/r/985618

gerritbot added a comment.Dec 25 2023, 9:13 PM

Change 985617 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] notifications: Store number of keys in notification data

https://gerrit.wikimedia.org/r/985617

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.12; 2024-01-02).Dec 25 2023, 11:00 PM
Etonkovidova moved this task from Inbox to Triaged on the Growth-Team board.Jan 5 2024, 7:00 PM
gerritbot added a comment.Jan 12 2024, 1:02 AM

Change 985618 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] notifications: Show number of remaining devices

https://gerrit.wikimedia.org/r/985618

Maintenance_bot removed a project: Patch-For-Review.Jan 12 2024, 1:30 AM
ReleaseTaggerBot edited projects, added MW-1.42-notes (1.42.0-wmf.14; 2024-01-16); removed MW-1.42-notes (1.42.0-wmf.12; 2024-01-02).Jan 12 2024, 3:00 AM
Reedy added a comment.Jan 12 2024, 4:01 PM

I think all that's left on this one is when an "extra" device has been setup, and improving the wording/display for those in a similar way to the disable ones have been done

Reedy mentioned this in T355016: Allow users to customise where they get 2FA related notifications.Jan 14 2024, 9:21 AM
taavi removed taavi as the assignee of this task.Apr 21 2025, 10:54 AM
taavi subscribed.
jeremyb subscribed.May 4 2025, 11:29 AM
Mstyles added a project: FY2025-26 WE4.6.2 Multiple Authenticators.Jul 23 2025, 6:06 PM
Mstyles subscribed.

The current notifications are a good start and it looks like the current code will support email notifications for more than one authenticator. We will probably want the email notifications to be a bit more detailed about what authentication methods were enabled/disabled and possibly other kinds of notifications too.

Mstyles edited parent tasks, added: T399644: FY2025-26 WE4.6.2 Multiple Authenticators; removed: T242031: Allow multiple different 2FA devices.Aug 20 2025, 6:58 PM
Reedy updated the task description. (Show Details)Sep 17 2025, 9:25 AM
Catrope moved this task from Backlog to Consider for future work on the FY2025-26 WE4.6.2 Multiple Authenticators board.Sep 29 2025, 5:29 PM
Catrope edited projects, added FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support); removed FY2025-26 WE4.6.2 Multiple Authenticators.Oct 2 2025, 4:07 AM
Catrope moved this task from Inbox to UX cleanup on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 2 2025, 6:19 PM
Catrope added a subscriber: EMill-WMF.Thu, Nov 13, 12:41 AM
Catrope subscribed.Thu, Nov 13, 12:47 AM

The current notifications are:

When 2FA is enabled (user creates their first 2FA key):

Two-factor authentication has been enabled on {{GENDER:$2|your account}}.
If {{GENDER:$2|you}} did not do this, {{GENDER:$2|your account}} may have been compromised.

When an additional 2FA key is added: no notification is currently sent

When the user removes their last 2FA method:

Two-factor authentication has been disabled on {{GENDER:$2|your account}}.
If {{GENDER:$2|you}} did not do this, {{GENDER:$2|your account}} may have been compromised.

When an admin removes the user's last 2FA method for them:

Two-factor authentication has been disabled on {{GENDER:$2|your account}}.
If {{GENDER:$2|you}} did not request this, {{GENDER:$2|you}} should contact an administrator.

When the user removes a 2FA method, but it's not the last one:

A two-factor authentication device has been removed from {{GENDER:$2|your account}}.
If {{GENDER:$2|you}} did not do this, {{GENDER:$2|your account}} may have been compromised. There still {{PLURAL:$3|is an additional device|are $3 additional devices}} active on {{GENDER:$2|your account}}.

When an admin does that for them:

A two-factor authentication device has been removed from {{GENDER:$2|your account}}.
If {{GENDER:$2|you}} did not request this, {{GENDER:$2|you}} should contact an administrator. There still {{PLURAL:$3|is an additional device|are $3 additional devices}} active on {{GENDER:$2|your account}}.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits