With T384153: SUL3 Phase 3: All existing user login on group 0 and group 1 wikis we are starting to roll out the SUL3 login page, which is on a different domain than the SUL2 login page, which means WebAuthn keys don't work anymore. Since WebAuthn is poorly supported (see T376021: Migrate WebAuthn on Wikimedia wikis to central domain) and only used by a handful of people, and building a migration process would have been a fair amount of work, we'll just notify the affected users directly.
Description
Description
Details
Details
Related Changes in Gerrit:
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Revert "Disable new WebAuthn credentials creation" | operations/mediawiki-config | master | +0 -4 |
Event Timeline
Comment Actions
Per
select gu_name, gu_email from globaluser where gu_id in (select oad_user from oathauth_devices where oad_type = (select oat_id from oathauth_types where oat_name = 'webauthn'));
there are 84 users with WebAuthn enabled, 79 of them have an email address set. Of the remaining five, one account has (test) in the name; one has zero edits total, two have single-digit edits, one has double-digit edits, one has triple-digit edits. All of them have been inactive for half a year at least, some for several years. I think it's OK to ignore those five accounts and email the ones who have an email address set with instructions on how to switch to the central domain.
(But we'll need to undo T378402: Disallow setting up new WebAuthn passkeys on Wikimedia wikis for that to be possible.)
Comment Actions
Change #1128403 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[operations/mediawiki-config@master] Revert "Disable new WebAuthn credentials creation"
Comment Actions
Change #1128403 merged by jenkins-bot:
[operations/mediawiki-config@master] Revert "Disable new WebAuthn credentials creation"
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:06:22Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1128403|Revert "Disable new WebAuthn credentials creation" (T378402 T389064)]], [[gerrit:1128032|sqwiktionary: update logo, wordmark, tagline and icon (T342172)]], [[gerrit:1126533|Growth: eswiki+cswiki - enable new way of refreshing LinkRecommendations (T386250)]]
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:10:17Z] <tgr@deploy2002> tgr, migr, anzx: Backport for [[gerrit:1128403|Revert "Disable new WebAuthn credentials creation" (T378402 T389064)]], [[gerrit:1128032|sqwiktionary: update logo, wordmark, tagline and icon (T342172)]], [[gerrit:1126533|Growth: eswiki+cswiki - enable new way of refreshing LinkRecommendations (T386250)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2025-03-17T13:19:49Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1128403|Revert "Disable new WebAuthn credentials creation" (T378402 T389064)]], [[gerrit:1128032|sqwiktionary: update logo, wordmark, tagline and icon (T342172)]], [[gerrit:1126533|Growth: eswiki+cswiki - enable new way of refreshing LinkRecommendations (T386250)]] (duration: 13m 27s)
Comment Actions
Message to be sent out (see T389064#10676651 for a correction):
Action needed to keep your Wikimedia WebAuthn login working
Hi! You are receiving this message because you are one of the few people using WebAuthn (two-factor login via a hardware key or smartphone or certain operating system features) for authentication on Wikimedia websites. Wikimedia wikis are switching to a unified login domain (auth.wikimedia.org). WebAuthn passkeys are bound to a specific domain and become invalid once you have to log in via a different domain. WebAuthn isn't fully supported on Wikimedia wikis, the number of people using it is tiny, and building a migration workflow would have been a considerable amount of work, so we are just asking everyone to manually replace or remove WebAuthn passkeys. (This email is somewhat late - we started switching wikis to use the new login domain a week ago, and you should have been notified then, but due to some unexpected issues with how WebAuthn worked on the new domain, this has been delayed. I apologize for any inconvenience this might have caused.) == Instructions for logging in with your old WebAuthn passkey == If your wiki user account uses WebAuthn and you need to log in, you can log in as follows: * Visit the wiki where you normally log in. * Get the web address of the login page, e.g. by right-clicking "Log in" in the top right corner of the page and choosing "Copy link address" or similar. * Append `&usesul3=0` to the copied address, and use this address to log in. For example, on English Wikipedia, you might use https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page&usesul3=0 to log in. == Instructions for removing your old WebAuthn passkey == * Visit the user preferences page on the wiki where you normally log in. * Click "Manage" next to "Two-factor authentication: Web Authentication (WebAuthn)" * Click "Disable" next to "Web Authentication (WebAuthn)" * Click "Confirm and continue" * Perform the second-factor check (e.g. insert the hardware key, or tap your mobile phone) == Instructions for adding a new passkey on the new, central authentication domain == Once you have removed your old passkey, you can add a new one that is for the central domain as follows: * Visit https://auth.wikimedia.org/metawiki/wiki/Special:Manage_Two-factor_authentication * You will probably need to log in again * Click "Enable" next to "Web Authentication (WebAuthn)" * Enter a nickname for the new passkey * Follow your browser's instructions for selecting and using an authentication device == Instructions for logging in with your new WebAuthn passkey == We are rolling out the use of the new domain gradually, so depending on various factors, you might or might not get the central auth.wikimedia.org domain when you try to log in. Your new passkey will only work on this domain. To ensure you always get the new domain: * Visit the wiki where you normally log in. * Get the web address of the login page, e.g. by right-clicking "Log in" in the top right corner of the page and choosing "Copy link address" or similar. * Append `&usesul3=1` to the copied address, and use this address to log in. For example, on English Wikipedia, you might use https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page&usesul3=1 to log in. The rollout will take about a week; after that, login will always use the new central domain, and you don't need to do anything special for WebAuthn to work. (This will also fix the longstanding problem with WebAuthn where you had to initiate login on one specific wiki for it to work.) == Feedback & more information == For more information about the new central login domain, see the project page: https://www.mediawiki.org/wiki/MediaWiki_Platform_Team/SUL3 To report problems with these instructions, or for other kinds of feedback about this email, you can use the relevant task in our issue tracker: https://phabricator.wikimedia.org/T389064 or you can just reply to this email (though using the task would be preferable). ---- Gergő Tisza software engineer, Wikimedia Foundation / MediaWiki Platform Team
Comment Actions
Annoyingly, sendBulkEmails.php does not emails users who have unset the allowemail user preference ("Allow other users to email me") which is not really relevant for this kind of email. So I'll use a copy of it with a trivial change:
32c32,37 < require_once __DIR__ . '/WikimediaMaintenance.php'; --- > $IP = getenv( 'MW_INSTALL_PATH' ); > if ( $IP === false ) { > $IP = __DIR__ . '/../../..'; > } > > require_once "$IP/extensions/WikimediaMaintenance/WikimediaMaintenance.php"; 235c240 < if ( !$user->canReceiveEmail() ) { --- > if ( !$user->isEmailConfirmed() ) {
Command used:
mwscript /home/tgr/T389064/sendBulkEmails.php --wiki=metawiki \
--subject 'Action needed to keep your Wikimedia WebAuthn login working' \
--body /home/tgr/T389064/body.txt \
--from 'Tgr (WMF)' \
--to /home/tgr/T389064/users-with-webauthn.txt
| tee email-log.txtComment Actions
Mentioned in SAL (#wikimedia-operations) [2025-03-25T20:40:04Z] <tgr_> running sendBulkEmail.php as per T389064#10676087
Comment Actions
76 out of 83 affected users notified. There's one user with test in the name, one with an account name that sounds like it was courtesy vanished, the other 5 unemailable users will have to figure out on their own what's going on, I suppose.
Closing as resolved but if you are one of the affected users and the instructions aren't working for you, feel free to reopen.
Comment Actions
Is it worth dumping a comment on their "primary"/home wiki talk page to point them somewhere? Probably requesting 2FA disabling....
Probably a good thing to fork to another task
Comment Actions
== Instructions for adding a new passkey on the new, central authentication domain == ... * Visit https://auth.wikimedia.org/metawiki/wiki/Special:Manage_Two-factor_authentication
This didn't work for everyone because it uses Meta's configuration, but some users only have the right to manage 2FA on one specific wiki.
Will have to send out a correction.
Comment Actions
Action needed to keep your Wikimedia WebAuthn login working (correction)
Hi again, a correction to the previous email: going to https://auth.wikimedia.org/metawiki/wiki/Special:Manage_Two-factor_authentication to set up WebAuthn on the new central domain only works if you have 2FA permissions on Meta-Wiki, but many people only have that on once specific wiki. In that case, you need to go to https://auth.wikimedia.org/<wikiid>/wiki/Special:Manage_Two-factor_authentication where <wikiid> is the short identifier (also known as the wiki ID or database name) for the wiki where you normally log in with WebAuthn; e.g. for English Wikipedia it's https://auth.wikimedia.org/enwiki/wiki/Special:Manage_Two-factor_authentication (If you aren't sure what is the short identifier for your wiki, you can look it up at https://db-names.toolforge.org/ - you can type the domain name in the search bar at the top; the value you'll need is in the "Database name" column.) Also note that having multiple two-factor mechanisms at the same time is not yet supported. If you are going to switch between WebAuthn and TOTP, you need to fully disable the active one before enabling the other, even though the user interface looks like you could do it in a single step. WebAuthn is still experimental, and this is one of the unfinished parts. Sorry for the confusion.
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2025-03-26T13:07:45Z] <tgr_> running sendBulkEmail.php as per T389064#10676651
Comment Actions
Thank you for the notification, Gergő. I have followed your well-defined instructions successfully.
One thing worth mentioning, your emails fell into my junk folder (Office 365/Outlook, default setup) which may hinder your migration attempts here.
Comment Actions
This is done I think.
Unfortunately I don't think we have any control over that. The mail sender script uses wikimedia.org with proper SPF etc, so it's from a reputable sender.
Comment Actions
I just now saw this email and went in to disable my old key, but it asks me to re-authenticate during the removal process which goes to auth.mediawiki.org.
My workflow:
- Go to https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page&usesul3=0 to log in. This works and I can use my existing key.
- Go to my user preferences page at https://en.wikipedia.org/wiki/Special:Preferences
- The "Manage" button on that page points to https://auth.wikimedia.org/enwiki/wiki/Special:Manage_Two-factor_authentication
- When I follow the link I get asked to log in again, and this time adding &usesul3=0 doesn't help.
Comment Actions
There's a link in the notice on the top of the page to go to the local version of the page where your passkey should work.
Maybe we should use a more noticeable color, or do that when the user's passkey has been created pre-SUL3.
Comment Actions
I don't see any notice on either the preferences page or the login page that I'm taken to after clicking "Manage" for 2FA. After logging in initially I end up on https://en.wikipedia.org/wiki/Special:Preferences, and after clicking "Manage" I'm taken to https://auth.wikimedia.org/enwiki/w/index.php?title=Special:UserLogin&returnto=Special%3AManage+Two-factor+authentication&returntoquery=&warning=exception-nologin-text, neither of which has a notice at the top of the page to use a local version of the page.
Comment Actions
That's probably a case of T393459: Warn users when they get redirected from a logged-in local page to a logged-out auth.wikimedia.org page. You are logged out when you arrive on auth.wikimedia.org and so the special page does a normal redirect-to-login rather than a reauthentication (which would be a little less confusing). Once you log in, you'll see the notice.
Anyway, you can just visit https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication directly.
Comment Actions
There we go, the direct link worked right away. And on that page I finally see the notification you had mentioned previously (though I don't need it now). Thanks for the help!