Page MenuHomePhabricator
Create Task
Maniphest T401777

During login, allow multiple 2FA methods to be used, but prioritize WebAuthn if available
Closed, ResolvedPublic
Actions

Assigned To
Mstyles
Authored By
Catrope
Aug 13 2025, 5:35 AM
Tags
Referenced Files
F65746273: image.png
Aug 13 2025, 5:35 AM
F65746247: image.png
Aug 13 2025, 5:35 AM
F65746240: image.png
Aug 13 2025, 5:35 AM
F65746235: image.png
Aug 13 2025, 5:35 AM
Subscribers
AAlhazwani-WMF
Aklapper
Catrope
Chlod
EMill-WMF
Mstyles
ReaperDawn
View All 9 Subscribers

Description

When a user who has 2FA enabled, we should allow them to use any 2FA method they have set up, but we should offer WebAuthn first, TOTP second, and recovery codes third.

image.png (881×433 px, 98 KB)
image.png (881×433 px, 94 KB)
image.png (826×400 px, 89 KB)
image.png (880×409 px, 84 KB)
WebAuthn onlyTOTP onlyWebAuthn + TOTPRecovery code form
  • If the user only has WebAuthn, continue with WebAuthn by default, but display a button that leads to a form where they can input a recovery code
  • If the user only has TOTP, display a form where they can enter a TOTP code, but display a button that leads to a form where they can input a recovery code
  • If the user has both WebAuthn and TOTP, continue with WebAuthn by default, but display a button that leads to a TOTP form, and a button that leads to a recovery code form
  • The recovery code form should have a button linking back to the WebAuthn flow or the TOTP flow (or both if both are available)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Prefer WebAuthn and set priority ordermediawiki/extensions/OATHAuthmaster+29 -11
Replace 2FA method switch dropdown with buttonsmediawiki/extensions/OATHAuthmaster+69 -15
Add login switch button messagemediawiki/extensions/WebAuthnmaster+9 -2
Add "GetButtonDisplayMessage" messagemediawiki/extensions/WebAuthnmaster+9 -2
Add getPriority to iModule interfacemediawiki/extensions/OATHAuthmaster+18 -0
Multiple 2FA methods for loginmediawiki/extensions/OATHAuthmaster+23 -13
Set default priority for WebAuthnmediawiki/extensions/WebAuthnmaster+7 -0
Pass flags and weight from OATHAuthmediawiki/coremaster+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Aug 13 2025, 5:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 13 2025, 5:35 AM
Catrope added a comment.Aug 13 2025, 5:35 AM

@AAlhazwani-WMF I was a bit bold and used my preferred design alternative here instead of the MenuButton-based one you have in your current designs, but I'd be happy to update this task with whatever we settle on.

Chlod subscribed.Aug 13 2025, 7:22 AM
AAlhazwani-WMF added a comment.Aug 13 2025, 10:31 AM
In T401777#11081153, @Catrope wrote:

@AAlhazwani-WMF I was a bit bold and used my preferred design alternative here instead of the MenuButton-based one you have in your current designs, but I'd be happy to update this task with whatever we settle on.

@Catrope WP:BB is more than welcome. as i shared on figma (link to comment) i don't have a strong opinion about this, and agreed with your proposal.

ReaperDawn subscribed.Aug 13 2025, 10:51 PM
Mstyles edited parent tasks, added: T399644: FY2025-26 WE4.6.2 Multiple Authenticators; removed: T242031: Allow multiple different 2FA devices.Aug 20 2025, 7:00 PM
Catrope assigned this task to Mstyles.Aug 20 2025, 9:03 PM
Catrope triaged this task as High priority.
Mstyles moved this task from Backlog to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.Aug 22 2025, 10:59 PM
gerritbot added a comment.Aug 29 2025, 4:22 AM

Change #1182979 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Multiple 2FA methods for login

https://gerrit.wikimedia.org/r/1182979

gerritbot added a project: Patch-For-Review.Aug 29 2025, 4:22 AM

Change #1182980 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/core@master] Pass flags and weight from OATHAuth

https://gerrit.wikimedia.org/r/1182980

gerritbot added a comment.Sep 2 2025, 5:49 PM

Change #1182980 abandoned by Mstyles:

[mediawiki/core@master] Pass flags and weight from OATHAuth

Reason:

Need to make changes inside OATHAuth

https://gerrit.wikimedia.org/r/1182980

gerritbot added a comment.Sep 3 2025, 3:09 AM

Change #1184200 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Add getPriority to iModule interface

https://gerrit.wikimedia.org/r/1184200

gerritbot added a comment.Sep 3 2025, 3:10 AM

Change #1184201 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/WebAuthn@master] Set default priority for WebAuthn

https://gerrit.wikimedia.org/r/1184201

gerritbot added a comment.Sep 8 2025, 10:03 PM

Change #1184201 abandoned by Mstyles:

[mediawiki/extensions/WebAuthn@master] Set default priority for WebAuthn

Reason:

planning to store in config

https://gerrit.wikimedia.org/r/1184201

gerritbot added a comment.Sep 9 2025, 2:41 AM

Change #1182979 abandoned by Mstyles:

[mediawiki/extensions/OATHAuth@master] Multiple 2FA methods for login

Reason:

starting fresh

https://gerrit.wikimedia.org/r/1182979

gerritbot added a comment.Sep 9 2025, 2:43 AM

Change #1184200 abandoned by Mstyles:

[mediawiki/extensions/OATHAuth@master] Add getPriority to iModule interface

Reason:

planning to use config variable

https://gerrit.wikimedia.org/r/1184200

gerritbot added a comment.Sep 9 2025, 2:46 AM

Change #1186136 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Multiple 2FA methods for login

https://gerrit.wikimedia.org/r/1186136

gerritbot added a comment.Sep 15 2025, 11:16 PM

Change #1187237 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/WebAuthn@master] Add "GetButtonDisplayMessage" message

https://gerrit.wikimedia.org/r/1187237

gerritbot added a comment.Sep 16 2025, 12:55 AM

Change #1187237 abandoned by Mstyles:

[mediawiki/extensions/WebAuthn@master] Add "GetButtonDisplayMessage" message

Reason:

duplicate

https://gerrit.wikimedia.org/r/1187237

gerritbot added a comment.Sep 16 2025, 12:56 AM

Change #1188485 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/WebAuthn@master] Add "GetButtonDisplayMessage" message

https://gerrit.wikimedia.org/r/1188485

gerritbot added a comment.Sep 16 2025, 11:38 AM

Change #1188485 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] Add login switch button message

https://gerrit.wikimedia.org/r/1188485

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.20; 2025-09-23).Sep 16 2025, 12:01 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Sep 16 2025, 7:47 PM
Reedy mentioned this in T404801: Could not verify your key. Please start the registration process again..Sep 16 2025, 10:27 PM
gerritbot added a comment.Sep 16 2025, 11:30 PM

Change #1186136 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Replace 2FA method switch dropdown with buttons

https://gerrit.wikimedia.org/r/1186136

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2025, 11:31 PM
gerritbot added a comment.Sep 17 2025, 6:07 AM

Change #1188920 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Prefer WebAuthn

https://gerrit.wikimedia.org/r/1188920

gerritbot added a project: Patch-For-Review.Sep 17 2025, 6:07 AM
gerritbot added a comment.Sep 18 2025, 11:29 PM

Change #1188920 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Prefer WebAuthn and set priority order

https://gerrit.wikimedia.org/r/1188920

Maintenance_bot removed a project: Patch-For-Review.Sep 18 2025, 11:30 PM
Mstyles closed this task as Resolved.Sep 19 2025, 5:48 PM
Mstyles moved this task from In Progress to Done on the FY2025-26 WE4.6.2 Multiple Authenticators board.
Mstyles mentioned this in T399648: Default to WebAuthn when available during login 2FA check.
Reedy removed a subtask: T407167: Only One Recovery codes given.Oct 17 2025, 2:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits