Okay, the snarky comments were unnecessary.

In T283980#7136131, @DannyS712 wrote:

In T283980#7136114, @stjn wrote:

In T283980#7135209, @mmodell wrote:

Several of Phabricator's users and long time contributors are coming together to fork phabricator, with @epriestley's blessing and under a new name. I hope that Wikimedia will be a part of that effort, at least by sponsoring some of my time towards it, however, I intend to contribute in a personal capacity as much as I can.

Please name it Phork. Please name it Phork.

+1 to the name suggestion, but is there also any public documentation about this discussion and fork? I'd be interested in following along (and I'm sure others on this task would be too)

In T280392#7031243, @Bluerasberry wrote:

community has feelings about the name of this and I think the name choice should be a community discussion

see past conversation with lots of participation

https://meta.wikimedia.org/wiki/Talk:OTRS/Archives/2019#Proposal_for_name_change_-_%22Wiki_client_services%22

propose that there be a conversation before anyone takes action at scale

Also, the idea of centralizing the OTRS authentication has been discussed and rejected before: T133476: Proposal: Centralize OTRS login methodology. I proposed setting up an LDAP server years ago that would handle the authentication and role management, and the overhead was too high.

https://otrs-wiki.wikimedia.org/wiki/Greasemonkey_Scripts (Feel free to expand or rename) - I also ported to GitHub as opposed to the Paste, which was more maintainable.

In T263243#6475206, @Krd wrote:

Can you please put or link this somewhere on OTRS wiki? I think there are some more Greasemonkey scripts, at lease I have one that is a bit useful.

Hey, I don't know if this helps a lot, but I built a quick GreaseMonkey script that should restore the colors: https://github.com/Matthewrbowker/otrs-colors/raw/master/otrs-colors.user.js . This should work short-term until we decide what to do with our OTRS install.

In T122220#6473842, @akosiaris wrote:

In T122220#6471605, @Matthewrbowker wrote:

In T122220#6471256, @Krd wrote:

I appreciate that we have that feature now and do test it, but I second akosiaris' statement above that we don't have any process yet to recover an account. I guess if anybody locks out themselves at the moment we could be unable to recover the account. Please consider that OTRS admins may not have enough resources for assistance at the moment.
If 2fa forces us to rely on anything not verifyable during account recovery, it perhaps doesn't add much additional security.

This is my biggest concern as well. My feeling, at least for the trial period, would be to require a post to [[AR]] on OTRS wiki. But, if we have to remove their 2FA token we also scramble their password and force them to reset it.

Long-term, we need a better solution (like a committed identity that enwiki has) - but all of that is taking more time from an already stretched thin admin team.

Another question/idea would be: How hard are OTRS modules to build? We could theoretically build an enhanced version of the built-in 2FA module, which allowed for scratch codes and hide the generator token.

A more suitable question would be "How costly are OTRS modules to maintain?" as I my experience up to now with OTRS modules is that most of their cost goes into maintenance and not building them. And since we would be probably patching the current implementation, it would be considerable. We would need to find someone to do build it and maintain it down the road.

In T122220#6471256, @Krd wrote:

I appreciate that we have that feature now and do test it, but I second akosiaris' statement above that we don't have any process yet to recover an account. I guess if anybody locks out themselves at the moment we could be unable to recover the account. Please consider that OTRS admins may not have enough resources for assistance at the moment.
If 2fa forces us to rely on anything not verifyable during account recovery, it perhaps doesn't add much additional security.

@DannyS712 Awesome, thank you for taking care of that!

I have also enabled 2FA on my account. It's a bit of a scary process currently - I'm used to being asked that 2FA is set up correctly by inputting a code. Instead, the interface just assumes that you're set up correctly, which makes it easy to lock your account.

+1 to the lab rat queue, I'd love to test this.

In T262399#6450086, @Cyberpower678 wrote:

Isn’t the edit counter supposed to issue a replay warning in these instances?

That's why I didn't tag any project admins yet, I wanted to open it for wider discussion from the XTools maintainers before I went ahead and implemented.

@MusikAnimal @Cyberpower678 Do we want to use the banner system to maybe add a message linking to T262239 on prod? Otherwise, I fear we're going to see multiple tasks related to this.