Page MenuHomePhabricator

Lars.Dormans (RedSpeeds)


User does not belong to any projects.


  • Clear sailing ahead.


  • Clear sailing ahead.


  • Clear sailing ahead.

User Details

User Since
Mar 11 2018, 7:35 PM (323 w, 6 d)
MediaWiki User
Lars.Dormans [ Global Accounts ]

Recent Activity

Jul 16 2023

Lars.Dormans added a comment to T244088: Logging in at another wiki than WebAuth was set up fails.
Jul 16 2023, 2:30 PM · MW-1.35-notes (1.35.0-wmf.28; 2020-04-14), MediaWiki-extensions-OATHAuth

Jun 15 2023

Lars.Dormans updated Lars.Dormans.
Jun 15 2023, 12:11 PM

May 16 2020

Lars.Dormans created T252954: Unable to use webAuthn outside of registration domain.
May 16 2020, 10:51 PM · MediaWiki-extensions-OATHAuth

Mar 11 2018

Lars.Dormans added a comment to T150565: Support physical OATH/OTP devices.

Seeing as indeed U2F is the most universal tool in the shed at this point me too would favor to decline this and instead use T100373: WebAuthn (U2F) integration for Extension:OATHAuth. Since this would avoid developers for having to work with tons of device specific API's

Mar 11 2018, 8:22 PM · MediaWiki-extensions-OATHAuth
Lars.Dormans awarded T150601: Add option to generate new set of recovery codes a Like token.
Mar 11 2018, 8:19 PM · MediaWiki-extensions-OATHAuth
Lars.Dormans added a comment to T150903: Alert sre/security on many 2FA failures.

A brute force attack on a 2FA enabled account is kinda impossible since the code changes every 30 second and you have 10.077.696 possible combinations i personally think the web server is able to handle that many request in 30 seconds

Mar 11 2018, 8:07 PM · Sustainability (Incident Followup), Security, MediaWiki-extensions-OATHAuth
Lars.Dormans added a comment to T166622: Allow all users on all wikis to use OATHAuth.
Mar 11 2018, 8:03 PM · Goal, Security, Security-Team, Trust-and-Safety, MediaWiki-extensions-OATHAuth, Wikimedia-Site-requests
Lars.Dormans added a comment to T174937: Emphasise importance of recovery codes.

Give users a prompt on a timer stating users should save their backup codes or like i do for some of my applications only allow them to continue the 2FA setup if you detect they pressed the download button
Also dont forget to give massive warning texts they should be big and bold so users notice them and dont spam next

Mar 11 2018, 7:59 PM · MW-1.42-notes (1.42.0-wmf.14; 2024-01-16), Documentation, MediaWiki-extensions-OATHAuth
Lars.Dormans added a comment to T180896: Allow functionaries to reset second factor on low-risk accounts.

This is the problem with 2FA it supposed to be a system where the user needs something not digital to login a email account can be a hacked so if they manage to get a reset token mailed to them the physical aspect is away because there is now a digital access code in a email account which can be hacked. However it not viable to send a physical letter to every user who lost their 2FA. However for low-profile users without any additional permissions this is a option but its something you need to consider because its bound to in some way take away the physical aspect in my opinion we explicate state that if your lose your codes somehow your account is gone this of course would not apply to people who can physically ID themselves I.E an admin

Mar 11 2018, 7:56 PM · SecTeam-Processed, Security-Team, Security, MediaWiki-extensions-OATHAuth, Trust-and-Safety, WMF-Legal, MW-1.34-notes (1.34.0-wmf.1; 2019-04-16)
Lars.Dormans added a watcher for MediaWiki-extensions-OATHAuth: Lars.Dormans.
Mar 11 2018, 7:44 PM