Expand 2FA Opt-In Privileges
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Mstyles
	Jul 15 2025, 11:28 PM

Description

We want to expand the amount of users who have 2FA access. We can do this by creating a hook that will look at user IDs and if that user ID ends in 0, they are added to the oathauth-tester group which only grants the privilege to access 2FA (oathauth-enable). Users will only be added to the oathauth-tester group if they are not already members of another group that grants the oathauth-enable right.

Currently users without email addresses and temporary accounts are not included in this rollout.

Once we have settled at 100% of users have 2FA access we need to remove all of the configuration that made this possible:

The percentage setting
The code/hook that powers the percentage setting
The oathauth-twofactorauth group

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
OATHAuth: Remove wmgOATHAuthDisableRight	operations/mediawiki-config	master	+0 -16
Remove configuration for 2FA Opt In	mediawiki/extensions/OATHAuth	master	+0 -24
OATHAuth: Expand 2FA to all users	operations/mediawiki-config	master	+0 -3
OATHAuth: Increase 2FA opt-in to 70% of users	operations/mediawiki-config	master	+1 -1
OATHAuth: Increase 2FA opt-in to 40% of users	operations/mediawiki-config	master	+1 -1
OATHAuth: Increase 2FA opt-in to 20% of users	operations/mediawiki-config	master	+1 -1

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	Mstyles	T411737 Remove oathauth-tester messages
Resolved	Urbanecm	T411360 cleanup - depopuplate global oathauth-tester group
Resolved	None	T166622 Allow all users on all wikis to use OATHAuth
Resolved	Mstyles	T399664 Expand 2FA Opt-In Privileges
Resolved	Mstyles	T400579 Add ability to make 2FA available to N% of users

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 15 2025, 11:28 PM

Users will only be added to the oathauth-tester group if they are not already members of any other group.

Any other group?

Not sure how to make that more clear. If a randomly selected user (part of whatever percent rollout we are doing) is not a member of any of the other global groups then they get added to the oathauth-tester group.

Catrope updated the task description. (Show Details)Jul 16 2025, 5:11 PM

Catrope updated the task description. (Show Details)

I've attempted to clarify the task description. I would also suggest that it might be easier not to add the randomly selected users to the oathauth-tester group, but instead to use a UserGetRights hook that just adds the oathauth-enable right directly if the last two digits of the user ID are less than 05 or whatever.

What is the benefit of adding the right directly vs adding users to a group?

In T399664#11010279, @Mstyles wrote:

What is the benefit of adding the right directly vs adding users to a group?

If not done correctly, it can basically kill the database by adding millions of rows to tables in our production that are already under stress. Maybe there are other reasons too.

Affected users should somehow be awared that they can enable 2FA.

I've separated the implementation of the mechanism into a subtask (T400579), so that we can later add additional subtasks under here for the rollout itself (increasing the percentage of users who have 2FA enabled from 0% to 10%, probably with steps in between).

In T399664#11034345, @Bugreporter wrote:

Affected users should somehow be awared that they can enable 2FA.

@Bugreporter We're actually intentionally rolling this out quietly (though in public for anyone paying attention), so that we can first get a handle on bugs, support load, and general stability before we start proactively evangelizing this to users.

It is confusing if a number of new Wikimedians are friends, some can enable 2FA and some can not. So we should at least describe (to those 2FA available) 2FA for everyone is a preview feature in A/B testing.

The older task about this is T166622: Allow all users on all wikis to use OATHAuth. There it was suggested that the blockers for making 2FA available to everyone are T242031: Allow multiple different 2FA devices, T150601: Add option to generate new set of recovery codes (which requires T232336: Separate recovery codes into a separate 2FA module) and T180896: Allow functionaries to reset second factor on low-risk accounts.

Tgr added a project: MediaWiki-extensions-OATHAuth.Aug 1 2025, 4:05 PM

ReaperDawn subscribed.Aug 12 2025, 12:15 PM

Catrope closed subtask T400579: Add ability to make 2FA available to N% of users as Resolved.Aug 19 2025, 9:38 PM

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Aug 26 2025, 11:20 AM

Can we put this on User-notice, we don't need to evangelize it yet, but since APIs now return this "secret" user-right 😄, it might be useful to tell people about it so that they are not taken by surprise (had a conversation with folks on the Wikimedia Discord server about the existence of the userright.)

@Soda I'm working with @sgrabarczuk to figure out the best approach for Tech News. Thank you for bringing it up here

UOzurumba moved this task from To Triage to Not ready to announce on the User-notice board.Sep 16 2025, 11:23 PM

Gerges subscribed.Sep 17 2025, 5:16 PM

Restricted Application added a subscriber: alaa. · View Herald TranscriptSep 17 2025, 5:16 PM

Xaosflux subscribed.Sep 21 2025, 1:19 AM

Change #1191100 had a related patch set uploaded (by Mstyles; author: Mstyles):

[operations/mediawiki-config@master] OATHAuth: Increase 2FA opt-in to 20% of users

https://gerrit.wikimedia.org/r/1191100

gerritbot added a project: Patch-For-Review.Sep 24 2025, 5:03 PM

Change #1191100 merged by jenkins-bot:

[operations/mediawiki-config@master] OATHAuth: Increase 2FA opt-in to 20% of users

https://gerrit.wikimedia.org/r/1191100

Maintenance_bot removed a project: Patch-For-Review.Sep 25 2025, 4:32 PM

Change #1193941 had a related patch set uploaded (by Mstyles; author: Mstyles):

[operations/mediawiki-config@master] OATHAuth: Increase 2FA opt-in to 40% of users

https://gerrit.wikimedia.org/r/1193941

gerritbot added a project: Patch-For-Review.Oct 6 2025, 9:21 PM

Change #1193941 merged by jenkins-bot:

[operations/mediawiki-config@master] OATHAuth: Increase 2FA opt-in to 40% of users

https://gerrit.wikimedia.org/r/1193941

Mentioned in SAL (#wikimedia-operations) [2025-10-07T20:04:24Z] <mstyles@deploy2002> Started scap sync-world: Backport for [[gerrit:1193941|OATHAuth: Increase 2FA opt-in to 40% of users (T399664)]]

Mentioned in SAL (#wikimedia-operations) [2025-10-07T20:08:42Z] <mstyles@deploy2002> mstyles: Backport for [[gerrit:1193941|OATHAuth: Increase 2FA opt-in to 40% of users (T399664)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-10-07T20:13:50Z] <mstyles@deploy2002> Finished scap sync-world: Backport for [[gerrit:1193941|OATHAuth: Increase 2FA opt-in to 40% of users (T399664)]] (duration: 09m 08s)

Maintenance_bot removed a project: Patch-For-Review.Oct 7 2025, 8:31 PM

STei-WMF moved this task from Not ready to announce to Announce in next Tech/News on the User-notice board.Oct 9 2025, 8:54 PM

STei-WMF moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.

Novem_Linguae subscribed.Oct 14 2025, 12:35 PM

STei-WMF moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Oct 15 2025, 1:55 PM

Reedy added a parent task: T166622: Allow all users on all wikis to use OATHAuth.Oct 29 2025, 12:33 PM

Reedy added a subtask: T399657: Update existing 2FA documentation.Oct 29 2025, 12:35 PM

Change #1203535 had a related patch set uploaded (by Mstyles; author: Mstyles):

[operations/mediawiki-config@master] OATHAuth: Increase 2FA opt-in to 60% of users

https://gerrit.wikimedia.org/r/1203535

gerritbot added a project: Patch-For-Review.Nov 10 2025, 8:37 PM

Mstyles updated the task description. (Show Details)Nov 10 2025, 8:51 PM

Change #1203535 merged by jenkins-bot:

[operations/mediawiki-config@master] OATHAuth: Increase 2FA opt-in to 70% of users

https://gerrit.wikimedia.org/r/1203535

Mentioned in SAL (#wikimedia-operations) [2025-11-10T23:08:28Z] <catrope@deploy2002> Started scap sync-world: Backport for [[gerrit:rMW1203097935b3|i18n: Update wikimedia-emailauth-login-help to link to Special:AccountRecovery (T399749)]], [[gerrit:1203126|OATHManage: Don't always set the page title to "Create new recovery codes"]], [[gerrit:1203535|OATHAuth: Increase 2FA opt-in to 70% of users (T399664)]]

Stashbot mentioned this in T399749: Link to Zendesk form from EmailAuth failure message.Nov 10 2025, 11:08 PM

Maintenance_bot removed a project: Patch-For-Review.Nov 10 2025, 11:31 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-10T23:34:11Z] <catrope@deploy2002> catrope, mstyles: Backport for [[gerrit:rMW1203097935b3|i18n: Update wikimedia-emailauth-login-help to link to Special:AccountRecovery (T399749)]], [[gerrit:1203126|OATHManage: Don't always set the page title to "Create new recovery codes"]], [[gerrit:1203535|OATHAuth: Increase 2FA opt-in to 70% of users (T399664)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can no

Mentioned in SAL (#wikimedia-operations) [2025-11-11T00:11:51Z] <catrope@deploy2002> Started scap sync-world: Backport for [[gerrit:rMW1203097935b3|i18n: Update wikimedia-emailauth-login-help to link to Special:AccountRecovery (T399749)]], [[gerrit:1203126|OATHManage: Don't always set the page title to "Create new recovery codes"]], [[gerrit:1203535|OATHAuth: Increase 2FA opt-in to 70% of users (T399664)]]

Mentioned in SAL (#wikimedia-operations) [2025-11-11T00:15:28Z] <catrope@deploy2002> catrope, mstyles: Backport for [[gerrit:rMW1203097935b3|i18n: Update wikimedia-emailauth-login-help to link to Special:AccountRecovery (T399749)]], [[gerrit:1203126|OATHManage: Don't always set the page title to "Create new recovery codes"]], [[gerrit:1203535|OATHAuth: Increase 2FA opt-in to 70% of users (T399664)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can no

Mentioned in SAL (#wikimedia-operations) [2025-11-11T00:22:47Z] <catrope@deploy2002> Finished scap sync-world: Backport for [[gerrit:rMW1203097935b3|i18n: Update wikimedia-emailauth-login-help to link to Special:AccountRecovery (T399749)]], [[gerrit:1203126|OATHManage: Don't always set the page title to "Create new recovery codes"]], [[gerrit:1203535|OATHAuth: Increase 2FA opt-in to 70% of users (T399664)]] (duration: 10m 56s)

The oathauth-enable right

3rd party wikis may still only allow certain user using 2FA (since they may have few people handling account recovery requests). Alternatively we can assign it to user in Wikimedia projects and MediaWiki default and remove it from other groups currently holding that right.

In T399664#11361969, @Bugreporter wrote:

The oathauth-enable right

3rd party wikis may still only allow certain user using 2FA (since they may have few people handling account recovery requests). Alternatively we can assign it to user in Wikimedia projects and MediaWiki default and remove it from other groups currently holding that right.

@Bugreporter thanks for the heads up. We definitely want to be mindful of 3rd party wikis

TBurmeister subscribed.Nov 24 2025, 6:49 PM

Xaosflux created subtask T411360: cleanup - depopuplate global oathauth-tester group.Dec 1 2025, 12:08 PM

Xaosflux mentioned this in T411360: cleanup - depopuplate global oathauth-tester group.Dec 1 2025, 12:10 PM

Reedy removed a subtask: T411360: cleanup - depopuplate global oathauth-tester group.Dec 1 2025, 5:35 PM

Reedy added a parent task: T411360: cleanup - depopuplate global oathauth-tester group.

Change #1213563 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Increase 2FA access to most users

https://gerrit.wikimedia.org/r/1213563

gerritbot added a project: Patch-For-Review.Dec 1 2025, 8:20 PM

Reedy updated the task description. (Show Details)Dec 2 2025, 12:23 AM

Note after this step we need to remove the config added in T400579: Add ability to make 2FA available to N% of users.

Change #1213585 had a related patch set uploaded (by Mstyles; author: Mstyles):

[operations/mediawiki-config@master] OATHAuth: Expand 2FA to all users

https://gerrit.wikimedia.org/r/1213585

Change #1213585 merged by jenkins-bot:

[operations/mediawiki-config@master] OATHAuth: Expand 2FA to all users

https://gerrit.wikimedia.org/r/1213585

Mentioned in SAL (#wikimedia-operations) [2025-12-03T21:17:04Z] <dani@deploy2002> Started scap sync-world: Backport for [[gerrit:1214494|Increase coverage of 2025 Global Readers Survey (non-enwiki) (T410918)]], [[gerrit:1213585|OATHAuth: Expand 2FA to all users (T399664)]]

Mentioned in SAL (#wikimedia-operations) [2025-12-03T21:19:40Z] <dani@deploy2002> dani, mstyles: Backport for [[gerrit:1214494|Increase coverage of 2025 Global Readers Survey (non-enwiki) (T410918)]], [[gerrit:1213585|OATHAuth: Expand 2FA to all users (T399664)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-12-03T21:28:21Z] <dani@deploy2002> Finished scap sync-world: Backport for [[gerrit:1214494|Increase coverage of 2025 Global Readers Survey (non-enwiki) (T410918)]], [[gerrit:1213585|OATHAuth: Expand 2FA to all users (T399664)]] (duration: 11m 18s)

Change #1213563 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Remove configuration for 2FA Opt In

https://gerrit.wikimedia.org/r/1213563

Change #1214659 had a related patch set uploaded (by Mstyles; author: Mstyles):

[operations/mediawiki-config@master] OATHAuth: Remove wmgOATHAuthDisableRight

https://gerrit.wikimedia.org/r/1214659

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.7; 2025-12-16).Dec 3 2025, 11:00 PM

Johannnes89 subscribed.Dec 4 2025, 8:53 PM

Change #1214659 merged by jenkins-bot:

[operations/mediawiki-config@master] OATHAuth: Remove wmgOATHAuthDisableRight

https://gerrit.wikimedia.org/r/1214659

Mentioned in SAL (#wikimedia-operations) [2025-12-04T21:14:03Z] <jforrester@deploy2002> Started scap sync-world: Backport for [[gerrit:1215251|[tokwiki] Allow sysops to grant/remove confirmed status (T411683)]], [[gerrit:1214659|OATHAuth: Remove wmgOATHAuthDisableRight (T399664)]], [[gerrit:1214143|Remove /data-parsoid/ endpoint from specs per T393557 (T411517)]], [[gerrit:1215263|Shorten 'close' cookie wait period for enwiki banners (T411800)]]

Stashbot mentioned this in T411517: Clean up Math API OpenAPI specs and remove data-parsoid route specs.Dec 4 2025, 9:14 PM

Stashbot mentioned this in T411683: Allow tokwiki admins to grant and remove 'confirmed'.

Stashbot mentioned this in T411800: CentralNotice config changes to show a banner to a reader with the 'waitdate: close' status.

Mentioned in SAL (#wikimedia-operations) [2025-12-04T21:18:17Z] <jforrester@deploy2002> mstyles, aaron, superpes, jforrester, ejegg: Backport for [[gerrit:1215251|[tokwiki] Allow sysops to grant/remove confirmed status (T411683)]], [[gerrit:1214659|OATHAuth: Remove wmgOATHAuthDisableRight (T399664)]], [[gerrit:1214143|Remove /data-parsoid/ endpoint from specs per T393557 (T411517)]], [[gerrit:1215263|Shorten 'close' cookie wait period for enwiki banners (T411800)]] synced to the t

Mentioned in SAL (#wikimedia-operations) [2025-12-04T21:24:07Z] <jforrester@deploy2002> Finished scap sync-world: Backport for [[gerrit:1215251|[tokwiki] Allow sysops to grant/remove confirmed status (T411683)]], [[gerrit:1214659|OATHAuth: Remove wmgOATHAuthDisableRight (T399664)]], [[gerrit:1214143|Remove /data-parsoid/ endpoint from specs per T393557 (T411517)]], [[gerrit:1215263|Shorten 'close' cookie wait period for enwiki banners (T411800)]] (duration: 10m 04s)