Add explicit log entry when user presented with 2FA challenge
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	May 9 2026, 11:28 PM

Project Tags

Referenced Files

None

Subscribers

Aklapper

Reedy

Description

Depending on logging settings, what appears in your logs varies.

It's impossible to tell whether a 2FA challenge was actually presented (unless a pass/fail happens) in WMF production.

For example on my dev wiki, we see:

2026-05-09 23:19:34 ubuntu64-web-esxi wikidb-mw_: Reedy successfully logged in using temp password
2026-05-09 23:19:34 ubuntu64-web-esxi wikidb-mw_: Primary login with MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider succeeded
2026-05-09 23:19:34 ubuntu64-web-esxi wikidb-mw_: Secondary login with MediaWiki\Extension\OATHAuth\Auth\SecondaryAuthenticationProvider returned UI
2026-05-09 23:19:46 ubuntu64-web-esxi wikidb-mw_: OATHAuth user Reedy entered a valid OTP from $IP
2026-05-09 23:19:46 ubuntu64-web-esxi wikidb-mw_: Secondary login with MediaWiki\Extension\OATHAuth\Auth\SecondaryAuthenticationProvider succeeded
2026-05-09 23:19:46 ubuntu64-web-esxi wikidb-mw_: Secondary login with MediaWiki\Extension\EmailAuth\EmailAuthSecondaryAuthenticationProvider succeeded
2026-05-09 23:19:46 ubuntu64-web-esxi wikidb-mw_: Secondary login with MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider returned UI

But those don't appear in WMF production, as we don't track "debug" logs:

					case AuthenticationResponse::PASS:
						$this->logger->debug( 'Secondary login with {id} succeeded', [
							'id' => $id,
						] );

It would be useful if we had a OATHAuth user {username} was presented a 2FA challenge type warning when they get past the password, but are presented a form to do something.

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Explicitly log when 2FA challenge presented to user	mediawiki/extensions/OATHAuth	master	+17 -2

Customize query in gerrit

Event Timeline

Reedy created this task.May 9 2026, 11:28 PM

Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMay 9 2026, 11:28 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change #1285508 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Explicitly log when 2FA challenge presented to user

https://gerrit.wikimedia.org/r/1285508

gerritbot added a project: Patch-For-Review.May 10 2026, 12:04 AM

Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.May 11 2026, 4:44 PM

Change #1285508 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Explicitly log when 2FA challenge presented to user

https://gerrit.wikimedia.org/r/1285508

Reedy closed this task as Resolved.Tue, May 26, 11:40 PM

Reedy claimed this task.

Maintenance_bot removed a project: Patch-For-Review.Wed, May 27, 12:31 AM

Add explicit log entry when user presented with 2FA challengeClosed, ResolvedPublicActions

Description

Details

Event Timeline

Add explicit log entry when user presented with 2FA challenge
Closed, ResolvedPublic
Actions