== Situation ==
* Some folks shall better use 2FA in Phabricator (see e.g. `T304792`).
* When 2FA needs a reset, @aklapper often contacted via a private message in misc blackboxes (private emails, Slack messages).
* SMS for 2FA does not exist (insecure; [old upstream did not like that](https://secure.phabricator.com/T13241)) plus we have no phone numbers in Phab.
* Phab lacks backup codes for 2FA ([old upstream task](https://secure.phabricator.com/T6549); no new upstream task in Phorge yet).
* Per https://wikitech.wikimedia.org/wiki/Phabricator#Removing_Two_Factor_Authentication , resetting a Phab user's 2FA requires running `/srv/phab/phabricator/bin/remove destroy @PhabUserName` on the shell of the [Phab server](https://wikitech.wikimedia.org/wiki/Phabricator). That action requires being listed in the ["members" array in the "phabricator-admin" section](https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/modules/admin/data/data.yaml) or a larger group (e.g. #SRE).
* Andre had a quick conversation with Security's @acooper on 2023-04-25.
== Problem ==
* It does not scale when often only @aklapper is getting contacted via a private message and @aklapper is a bottleneck.
* Recently a reset was performed by an SRE member (@aklapper appreciates that) - resetter also wondered about the process and if they are entitled to act.
* Lack of process of who and how to contact multiple folks - usually [Phab admins](https://phabricator.wikimedia.org/people/query/DktdoFyuGYMN/#R) (though not technically required) with shell access who can perform a Phabricator 2FA reset.
* Lack of guidelines how to verify requests - committed identities on wiki, video calls, maybe WMF Slack messages if staff, etc?
== Potential stakeholders ==
* #release-engineering-team: ?
* #serviceops-collab: ?
* #Security-Team: out of scope per T306708#8661705
== To do ==
* Define a place where 2FA reset requests can be brought up when user cannot log into Phab anymore. Place needs to be documented and communicated. Place needs to be reachable by reporter. Place needs to be watched by resetter.
* Define sufficient verification means: For staff, is sync [video chat a hard requirement](https://phabricator.wikimedia.org/T334480#8772147)? Could an async private email or a private Slack message also be secure enough and sufficient? Or any other async means?
* Define what's sufficient verification when requester is no staff member.
* Define group who to watch the place where 2FA reset requests are brought up and to perform such resets.
* Document outcomes of this task by updating https://www.mediawiki.org/wiki/Phabricator/Help/Two-factor_Authentication_Resets and https://wikitech.wikimedia.org/wiki/Phabricator#Removing_Two_Factor_Authentication
**Offtopic** for this task: [Security ticket access](https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues); user renames; adding members to restricted groups; etc