Page MenuHomePhabricator
Create Task
Maniphest T391737

Require users to prove they saved their scratch codes
Open, Needs TriagePublicFeature
Actions

Description

Feature summary (what you would like to be able to do and where):
After a user's scratch codes are displayed, OATHAuth should hide them and require the user to input a scratch code to prove that they were saved. The scratch code should ideally not be consumed.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):
Many 2FA lockouts are caused by users forgetting to save their scratch codes or not realizing that they were reset.

Benefits (why should this be implemented?):

  • By asking for a scratch code, we can check that the correct scratch codes were saved
  • The fear of lockouts is a barrier to 2FA adoption on Wikimedia wikis. By testing a scratch code, we can reassure users that they work
  • Unlocking accounts currently requires T&S intervention, and preventing lockouts would reduce their workload

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits