Page MenuHomePhabricator
Create Task
Maniphest T420792

Allow 2FA to be enforced for all accounts on a private wiki
Open, Needs TriagePublic
Actions

Description

We would like to enforce 2FA for all users on certain private wikis. This will require a bit of a different approach than 2FA enforcement based on group membership, because:

  • Users on these wikis would never be able to disable 2FA, there's no group they can leave to make this possible
  • Non-compliant users would need to be blocked, rather than removed from a group
  • ...but they can't be "blocked" in the current meaning of that term, because that would disable their ability to log in and set up 2FA
  • User creation would have to work differently. Right now new users get emailed a temporary password, and they log in with that then set a permanent password. We would have to require 2FA setup somewhere in this flow, but an account creator can't set up 2FA for someone else.

There are two approaches I can think of, and we should decide which one to use (or come up with a different one):

  1. Deny the "read" right for users without 2FA
    • Non-compliant users would not be blocked, they would just lose the right to read anything. They could still log in and manage their 2FA, and regain read rights as soon as they do that.
    • The user creation flow wouldn't really change, new users would log in with a temporary password and then be in the same state as non-compliant users: they can't read anything until they enable 2FA.
  2. Email recovery codes as a 2FA starter
    • When a new user is created, enable 2FA for them immediately, with recovery codes only. Send them an email with their temporary password and their recovery codes. Then after logging in for the first time, direct them to set up 2FA properly.
    • For non-compliant users, do the same thing: forcibly enable 2FA with recovery codes only, email those codes to them, and have them set up 2FA once they log in.
    • This means restricting read rights isn't needed, and there is no state where a user account doesn't have 2FA.
  3. Add to the temporary password workflow
    • When a new user is created, email them a temporary password as usual
    • When they log in with their temporary password, we already force them to change it to a permanent password. In this same flow, also force them to set up 2FA
    • (We would have to figure out whether this is feasible, and how we would prevent users from bypassing this requirement)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Auth: Add hook to modify email sent when creating account for someone elsemediawiki/coremaster+49 -4
WIP: Add UserModifyCreateAccountEmailHook subscribermediawiki/extensions/OATHAuthmaster+42 -2
Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groupsmediawiki/extensions/OATHAuthwmf/1.47.0-wmf.5+29 -10
Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groupsmediawiki/extensions/OATHAuthwmf/1.47.0-wmf.6+29 -10
wmf-config: Add $wmgOATHAuthRequire2FAForAll configoperations/mediawiki-configmaster+8 -1
Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groupsmediawiki/extensions/OATHAuthREL1_46+29 -10
Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groupsmediawiki/extensions/OATHAuthmaster+29 -10
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Mar 20 2026, 9:00 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMar 20 2026, 9:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Catrope added a comment.Mar 20 2026, 9:01 PM

I lean towards #2. The risk of #1 is that something could go wrong with denying read rights based on 2FA status (maybe they can still read some things, or maybe logging in and managing their preferences/2FA doesn't work right), and I think that's a bigger risk than the risk of #2, which is that we don't normally expect users to have only recovery codes and nothing else.

Catrope edited projects, added: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed: Product Safety and Integrity.Mar 20 2026, 9:02 PM
Izno subscribed.Mar 21 2026, 9:30 PM
Bugreporter subscribed.EditedMar 22 2026, 2:39 AM

This will also be useful for T420383: Require 2FA for all accounts on donatewiki and thankyouwiki (and other fishbowl wikis, though these two wikis are more dangerous since they have raw HTML enabled).

Bugreporter added a comment.Mar 22 2026, 2:44 AM

Email recovery codes as a 2FA starter

Note we need clear guidance for them to properly setup 2FA - many new users (say, new WMF employees) may not be aware that recovery code is for single use and can not be relied forever.

recovery codes only

So we need a recovery-code-only mode, which is currently not yet supported.

Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Mar 23 2026, 9:52 PM
Rsilvola added a project: Security-Team.Mar 24 2026, 9:18 AM
Restricted Application edited projects, added: Product Safety and Integrity; removed: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))). · View Herald TranscriptMar 24 2026, 9:18 AM
Rsilvola edited projects, added: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed: Product Safety and Integrity, Security-Team.Mar 24 2026, 9:21 AM
Rsilvola added a project: Security-Team.
Catrope updated the task description. (Show Details)Mar 24 2026, 5:57 PM
sbassett moved this task from Incoming to Back Orders on the Security-Team board.Mar 31 2026, 4:05 PM
sbassett added a project: SecTeam-Processed.
Bugreporter added a comment.Mar 31 2026, 4:37 PM

This means restricting read rights isn't needed, and there is no state where a user account doesn't have 2FA.

We need to also consider legacy users. Of course we can add a recovery code to each of users, but there are no guarantee that the email of user is reachable, or even the user has an email at all.

I believe using an expiring recovery code is not enough: some private wikis may be rarely used (e.g. (1) they are no longer active but still contain useful contents for historical purposes; (2) they are used by 3rd party which does not frequently - but does - collaborate with WMF; (3) they are used by some chapter that have different usual means for communication). So for legacy users in private wikis, we should guarantee they can set up 2FA anytime when they want to use it.

HouseBlaster subscribed.Apr 2 2026, 2:01 AM
Johannnes89 subscribed.Apr 7 2026, 5:39 PM
Xaosflux subscribed.Apr 7 2026, 5:41 PM
Count_Count subscribed.Apr 7 2026, 5:48 PM
DerHexer subscribed.Apr 7 2026, 6:43 PM
sgrabarczuk subscribed.Apr 8 2026, 4:17 PM
mszwarc subscribed.Apr 9 2026, 8:11 AM
OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)); removed: Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))).Apr 13 2026, 3:45 PM
Reedy created subtask T423899: Create maintenance script to send notifications that they need to enable 2FA for continued access to the wiki.Apr 20 2026, 3:54 PM
Reedy changed the status of subtask T423899: Create maintenance script to send notifications that they need to enable 2FA for continued access to the wiki from Open to In Progress.Apr 21 2026, 4:57 PM
Bugreporter added a comment.EditedApr 21 2026, 5:23 PM

Another case to consider is many users in private wikis are blocked, which means they can not login and thus can not setup 2FA. Usually they are former (for example) checkusers or stewards that no longer have access, so it is meaningless to notify them to set up 2FA (some are even globally banned by WMF). However once a user has regain such access their private wiki account should be unblocked, and we need some way to let (and require) them setting up 2FA.

Reedy created subtask T424251: Make a maintenance script version of Special:Recover2FAForUser.Apr 23 2026, 5:58 PM
Reedy created subtask T424252: Create a maintenance script to make 2FA stats for a wiki (non blocked users).Apr 23 2026, 6:12 PM
Bugreporter added a comment.EditedApr 28 2026, 3:06 AM

After this task we should consider demoting sysops without 2FA in private wikis, since they can see more confidential content than normal users (deleted and revdelled pages and revisions, which may be contents no longer in use, but still contains PII).

Added 2026-05-09: what's more, any sysops in private wikis can create new accounts thus invite others to see the wiki's content.

OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)); removed: Product Safety and Integrity (Sprint Tulip (Apr 13 - May 1)).May 1 2026, 7:37 AM
Catrope closed subtask T423899: Create maintenance script to send notifications that they need to enable 2FA for continued access to the wiki as Resolved.Mon, May 18, 10:12 PM
Catrope closed subtask T424252: Create a maintenance script to make 2FA stats for a wiki (non blocked users) as Resolved.Wed, May 20, 3:57 PM
Catrope closed subtask T424251: Make a maintenance script version of Special:Recover2FAForUser as Resolved.
Catrope mentioned this in T428103: Enforce 2FA for all users on private wikis in WMF production.Wed, Jun 3, 10:37 PM
Catrope edited parent tasks, added: T428103: Enforce 2FA for all users on private wikis in WMF production; removed: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis.
gerritbot added a comment.Thu, Jun 4, 10:42 AM

Change #1297647 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Mandatory2FACheckerTest: Add test for 'user' requiring 2FA

https://gerrit.wikimedia.org/r/1297647

gerritbot added a project: Patch-For-Review.Thu, Jun 4, 10:42 AM
Reedy subscribed.EditedThu, Jun 4, 11:09 AM

Even without the patch above... Some (display type things) things just work

Screenshot 2026-06-04 at 12.07.39.png (481×256 px, 30 KB)

Reedy mentioned this in T428166: Wikis not using $wgConf should be shown 2FA required banners.Thu, Jun 4, 1:14 PM
gerritbot added a comment.Tue, Jun 9, 9:44 PM

Change #1299643 had a related patch set uploaded (by Reedy; author: Reedy):

[operations/mediawiki-config@master] wmf-config: Add $wmgOATHAuthRequire2FAForAll config

https://gerrit.wikimedia.org/r/1299643

gerritbot added a comment.Tue, Jun 9, 10:37 PM

Change #1299649 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/core@master] Add UserModifyCreateAccountEmailHook to modify AbstractTemporaryPasswordPrimaryAuthenticationProvider::sendNewAccountEmail()

https://gerrit.wikimedia.org/r/1299649

gerritbot added a comment.Wed, Jun 10, 7:44 AM

Change #1297647 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1297647

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.7; 2026-06-16).Wed, Jun 10, 8:00 AM
gerritbot added a comment.Wed, Jun 10, 10:20 AM

Change #1300080 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_46] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1300080

gerritbot added a comment.Wed, Jun 10, 10:44 AM

Change #1300080 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_46] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1300080

gerritbot added a comment.Wed, Jun 10, 10:57 AM

Change #1300093 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] WIP: Add UserModifyCreateAccountEmailHook subscriber

https://gerrit.wikimedia.org/r/1300093

gerritbot added a comment.Wed, Jun 10, 11:32 AM

Change #1300102 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@wmf/1.47.0-wmf.6] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1300102

gerritbot added a comment.Wed, Jun 10, 11:48 AM

Change #1299643 merged by jenkins-bot:

[operations/mediawiki-config@master] wmf-config: Add $wmgOATHAuthRequire2FAForAll config

https://gerrit.wikimedia.org/r/1299643

gerritbot added a comment.Wed, Jun 10, 11:48 AM

Change #1300104 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@wmf/1.47.0-wmf.5] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1300104

gerritbot added a comment.Wed, Jun 10, 11:51 AM

Change #1300102 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.47.0-wmf.6] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1300102

Reedy created subtask T428738: Create wrapper around Recover2FAForUser to send to all users that don't have 2FA.Wed, Jun 10, 11:51 AM
Reedy created subtask T428739: Refactor expiring recovery codes (and ExpiringRecoveryCodeGenerator) to allow user to only have expiring recovery codes for intial 2FA.
gerritbot added a comment.Wed, Jun 10, 11:55 AM

Change #1300104 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.47.0-wmf.5] Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups

https://gerrit.wikimedia.org/r/1300104

Stashbot added a comment.Wed, Jun 10, 11:57 AM

Mentioned in SAL (#wikimedia-operations) [2026-06-10T11:57:02Z] <reedy@deploy1003> Started scap sync-world: Backport for [[gerrit:1300104|Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups (T420792)]], [[gerrit:1300102|Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups (T420792)]], [[gerrit:1299643|wmf-config: Add $wmgOATHAuthRequire2FAForAll config (T420792)]]

Stashbot added a comment.Wed, Jun 10, 11:59 AM

Mentioned in SAL (#wikimedia-operations) [2026-06-10T11:59:09Z] <reedy@deploy1003> reedy: Backport for [[gerrit:1300104|Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups (T420792)]], [[gerrit:1300102|Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups (T420792)]], [[gerrit:1299643|wmf-config: Add $wmgOATHAuthRequire2FAForAll config (T420792)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes c

ReleaseTaggerBot edited projects, added: MW-1.47-notes (1.47.0-wmf.5; 2026-06-02); removed: MW-1.47-notes (1.47.0-wmf.7; 2026-06-16).Wed, Jun 10, 12:00 PM
Stashbot added a comment.Wed, Jun 10, 12:08 PM

Mentioned in SAL (#wikimedia-operations) [2026-06-10T12:08:08Z] <reedy@deploy1003> Finished scap sync-world: Backport for [[gerrit:1300104|Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups (T420792)]], [[gerrit:1300102|Mandatory2FAChecker: Allow getGroupsRequiring2FA() to work on implicit groups (T420792)]], [[gerrit:1299643|wmf-config: Add $wmgOATHAuthRequire2FAForAll config (T420792)]] (duration: 11m 06s)

Bugreporter added a comment.EditedWed, Jun 10, 1:20 PM

Sending a recovery code to everyone does not solve everything. Consider:

No matter how we do there will always users without 2FA in private wikis.

Reedy created subtask T428754: Don't necessarily require a confirmed email on ExpiringRecoveryCodeGenerator.Wed, Jun 10, 2:01 PM
Reedy added a comment.Wed, Jun 10, 4:21 PM
In T420792#12004658, @Bugreporter wrote:

No matter how we do there will always users without 2FA in private wikis.

Such is life. Doesn't mean they'll be able to use their account though.

Bugreporter added a comment.EditedWed, Jun 10, 4:51 PM
In T420792#12005613, @Reedy wrote:
In T420792#12004658, @Bugreporter wrote:

No matter how we do there will always users without 2FA in private wikis.

Such is life. Doesn't mean they'll be able to use their account though.

So what will happen if they try to login (at least some friendly error should be shown if they can not log in to set up 2FA at all). We should not surprise users comes back to private wikis years later.

A simple hack would be: (1) allow crats of private wikis to recover 2FA; (2) locked out users can then ask crats to set up 2FA. This does not always work; user may not easily know who crats of some private wiki are, and some private wikis may have no crats at all.

Reedy added a comment.Wed, Jun 10, 4:55 PM

The whole process hasn't been designed and implemented yet, but I'm sure we can cope with these cases.

I'm sure that it happens that people come back years later, but probably not that often. Many private wikis haven't been used in years.

Similarly, potentially editing MediaWiki:loginprompt or something to display information about this.

They'll also be able to reach out to T&S for help getting emails attached and/or recovery codes sent... As there's not going to be many private wiki users that don't have an equivalent presence on another WMF wiki, for example.

We explicitly don't allow email confirmation on private wikis either... Which is, yeah, a choice.

Bugreporter added a comment.EditedWed, Jun 10, 5:09 PM

private wikis haven't been used in years

but they may contain historical information that user may want to access.

A sixth scenario is someone who want to access a private wiki for whatever reason, and then created a task to do so (e.g. T243491, T327352, T184961#4470128). One way to get a private wiki account is let an admin inside create it, but user may not know who admins are, and they may be inactive or locked out (due to not having 2FA); some private wikis may have no admins at all. Another is using createAndPromote.php script, but accounts created that way have no 2FA and can not be used until 2FA is setup

potentially editing MediaWiki:loginprompt or something to display information about this.

This should be done in software, otherwise we need to edit it in every private wikis and likely no one has accounts on every private wikis.

Reedy added a comment.Wed, Jun 10, 5:14 PM

Sure, we can do it via WikimediaMessages, it's not a big deal.

None of this is insurmountable. Most of these private wikis aren't going to be having masses of people being signed up down the road, as an ad hoc process.

Same as the description dictates

When a new user is created, enable 2FA for them immediately, with recovery codes only.

Izno added a comment.Wed, Jun 10, 5:43 PM

Bugreporter, I'm going to be as gentle as possible and say that you're coming up with a whole bunch of edge cases that aren't going to be an issue with the processes in place as already described by Reedy. Please move on to something useful.

Reedy created subtask T428795: Confirm/handle adding initial 2FA codes to createAndPromote.php.Wed, Jun 10, 6:30 PM
Reedy closed subtask T428754: Don't necessarily require a confirmed email on ExpiringRecoveryCodeGenerator as Resolved.Thu, Jun 11, 10:31 PM
Catrope added a subtask: T428980: Managing 2FA after logging in with a recovery code should not require another recovery code.Thu, Jun 11, 11:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits