Page MenuHomePhabricator
Create Task
Maniphest T420200

Special:Recover2FAForUser should generate short-lived recovery codes
Closed, ResolvedPublic
Actions

Description

Currently, the recovery codes in OATHAuth have infinite lifespan. This is fine for the typical use of recovery codes (store safely and use in emergency). However, codes generated with Special:Recover2FAForUser are potentially known to a few intermediary parties (all those who can access the target user's email inbox, now and in future).

This makes it possible for a future attacker, who gets access to the target user email, to grab recovery codes and try them to log into Wikimedia wikis, hoping they weren't invalidated. In order to mitigate this, codes generated by this special page should be short-lived.

Acceptance criteria

  • Recovery codes generated by Special:Recover2FAForUser can be used only for 7 days after they have been generated.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Recover2FAForUser: Generate expiring codesmediawiki/extensions/OATHAuthmaster+28 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

mszwarc created this task.Mar 16 2026, 12:16 PM
mszwarc created subtask T420201: OATHAuth: Add support for expiring recovery codes.Mar 16 2026, 12:22 PM
mszwarc moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Mar 18 2026, 8:25 PM
mszwarc mentioned this in T420908: OATHAuth: Indicate that the user has temporary recovery codes.Mar 23 2026, 10:53 AM
mszwarc closed subtask T420201: OATHAuth: Add support for expiring recovery codes as Resolved.Mar 23 2026, 10:59 AM
mszwarc edited projects, added Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)).Mar 23 2026, 1:05 PM
mszwarc moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
Reedy mentioned this in T420994: Add a maintenance script to purge temporary recovery codes.Mar 23 2026, 7:53 PM
mszwarc reopened subtask T420201: OATHAuth: Add support for expiring recovery codes as In Progress.Mar 24 2026, 10:06 AM
mszwarc moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.Mar 24 2026, 10:38 AM
gerritbot added a comment.Mar 24 2026, 11:11 AM

Change #1259929 had a related patch set uploaded (by Mszwarc; author: Mszwarc):

[mediawiki/extensions/OATHAuth@master] Recover2FAForUser: Generate expiring codes

https://gerrit.wikimedia.org/r/1259929

gerritbot added a project: Patch-For-Review.Mar 24 2026, 11:11 AM
mszwarc closed subtask T420201: OATHAuth: Add support for expiring recovery codes as Resolved.Mar 24 2026, 12:08 PM
mszwarc moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
gerritbot added a comment.Apr 10 2026, 9:14 AM

Change #1259929 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Recover2FAForUser: Generate expiring codes

https://gerrit.wikimedia.org/r/1259929

Maintenance_bot removed a project: Patch-For-Review.Apr 10 2026, 9:31 AM
mszwarc closed this task as Resolved.Apr 10 2026, 9:49 AM
mszwarc moved this task from Needs review to Done on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
mszwarc updated the task description. (Show Details)
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.24; 2026-04-14).Apr 10 2026, 10:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits