Page MenuHomePhabricator
Create Task
Maniphest T166622

Allow all users on all wikis to use OATHAuth
Open, MediumPublic
Actions

Assigned To
None
Authored By
Reedy
May 30 2017, 9:16 PM
Tags
Referenced Files
None
Subscribers
94rain
A_smart_kitten
AfroThundr3007730
Ahm_masum
Aklapper
alaa
Amire80
View All 56 Subscribers
Tokens
"Like" token, awarded by Dalba."Heartbreak" token, awarded by awight."Like" token, awarded by Wong128hk."Like" token, awarded by Sniper296."Like" token, awarded by Liuxinyu970226."Like" token, awarded by Luke081515.

Description

I thought we had a task for this, but I can't seem to find one...

We eventually want to enable OATHAuth on all wikis, for all users, pending a few usability improvements

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 30 2017, 9:16 PM
Reedy triaged this task as Medium priority.May 30 2017, 9:16 PM
Reedy mentioned this in T100373: WebAuthn (U2F) integration for Extension:OATHAuth.
Reedy added a subtask: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.
Anomie subscribed.May 30 2017, 9:22 PM

It already is deployed on all wikis.

Reedy renamed this task from Deploy Extension OATHAuth to all wikis to Allow all users on all wikis to use OATHAuth.May 30 2017, 9:25 PM
In T166622#3302241, @Anomie wrote:

It already is deployed on all wikis.

Duh. Subject changed to mean what I actually meant

TheDJ subscribed.May 30 2017, 9:45 PM
Luke081515 awarded a token.May 31 2017, 1:51 PM
Luke081515 subscribed.
TerraCodes subscribed.Jun 7 2017, 6:44 AM
Daylen subscribed.Jul 18 2017, 5:03 AM
MarcoAurelio moved this task from Backlog to Analysis / under discussion on the Wikimedia-Site-requests board.Aug 13 2017, 7:10 PM
Liuxinyu970226 subscribed.Nov 9 2017, 5:07 AM
Liuxinyu970226 awarded a token.Nov 15 2017, 1:44 PM
Sniper296 awarded a token.Jan 20 2018, 8:05 PM
Sniper296 subscribed.
Lars.Dormans subscribed.Mar 11 2018, 8:03 PM
This comment was removed by Lars.Dormans.
Wong128hk awarded a token.Mar 12 2018, 1:22 AM
Wong128hk subscribed.
jrbs added a project: Trust-and-Safety.May 9 2018, 1:31 AM
jrbs moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.
jrbs added a subscriber: Jalexander.
jrbs subscribed.
Tgr merged a task: T150577: Enable OATHAuth for all users.Jul 24 2018, 8:55 AM
Tgr added subscribers: Lucas_Werkmeister_WMDE, MisterSynergy, BethNaught and 8 others.
Tgr mentioned this in T200052: Mandate that account passwords must be a minimum of eight characters on Wikimedia projects.Jul 24 2018, 8:59 AM
AfroThundr3007730 subscribed.Aug 20 2018, 10:25 PM
Bawolff edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:32 PM
sbassett subscribed.Oct 29 2018, 6:15 PM
Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Dec 6 2018, 8:19 AM
Tgr subscribed.Dec 6 2018, 8:22 AM

I guess the blockers for this (beyond what's already captured in the task graph) are T180896: Allow functionaries to reset second factor on low-risk accounts and T150601: Add option to generate new set of recovery codes / T131788: Users should be notified when only two recovery codes are left? Is anything else considered necessary?

Reedy added a comment.Dec 6 2018, 8:34 AM

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

Liuxinyu970226 added a comment.Dec 6 2018, 12:04 PM

@Tgr and @Reedy, yep, this task is directly related to the #10 of Community-Wishlist-Survey-2019: 2FA available for all concerned editors

TheDJ added a comment.Dec 6 2018, 12:49 PM

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

sbassett added a comment.EditedDec 6 2018, 4:01 PM

Trust-and-Safety might have some additional thoughts here, as they currently manage the operational work around OATHAuth. Though the tasks @Tgr mentioned (T166622#4802577) should alleviate most of their concerns, I'd imagine.

Tgr added a comment.Dec 7 2018, 1:48 AM
In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

In T166622#4803311, @TheDJ wrote:

@Tgr I think in the past we also said that some UI and interface messaging rework was needed to make the steps more understandable, esp around the topic of scratchcodes.

T150868: Expand recovery code instruction with advice to mark which codes you have used I guess?

Reedy added a comment.Dec 7 2018, 6:27 AM
In T166622#4805023, @Tgr wrote:
In T166622#4802614, @Reedy wrote:

Ideally, IMHO, being able to do a device swap without disabling and re-enabling should be in there too (not sure where the task is for that straight off)

I guess that's T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling? (that title is not super helpful)

I think so, title improved a little bit

Reedy added a comment.Dec 7 2018, 6:38 AM
In T166622#4803222, @Liuxinyu970226 wrote:

@Tgr and @Reedy, yep, this task is directly related to the #10 of Community-Wishlist-Survey-2019: 2FA available for all concerned editors

Actually implementing that task is easy (removing 10-15 lines from wmf-config)... It's the tasks mentioned above that need fixing first before we will do that

Tgr mentioned this in T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.Dec 7 2018, 6:53 PM
Tgr edited subtasks, added: T150601: Add option to generate new set of recovery codes, T131788: Users should be notified when only two recovery codes are left, T172079: Allow OATHAuth users with 2FA already enabled to add / switch devices without disabling, T150868: Expand recovery code instruction with advice to mark which codes you have used; removed: T150898: Force OATHAuth (2FA) for certain user groups in Wikimedia production.Dec 10 2018, 7:07 AM
Tgr added a subtask: T180896: Allow functionaries to reset second factor on low-risk accounts.
Tgr added a comment.Dec 10 2018, 7:11 AM

This is not really blocked on forcing on anyone 2FA, so rearranged the dependency tree a bit.

Tomybrz subscribed.Dec 27 2018, 3:36 PM

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Reedy added a comment.Dec 27 2018, 3:38 PM
In T166622#4844659, @Tomybrz wrote:

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Tomybrz added a comment.EditedDec 28 2018, 11:34 PM
In T166622#4844661, @Reedy wrote:
In T166622#4844659, @Tomybrz wrote:

Hi, Please keeping (or try to keep) "Two-factor authentication testers" group for historical use . Thanks

Why?

Because we are actually "Beta tester" for a long time and i would like to keep a memory in my SUL :) (i'm not a Beta tester anymore since i'm mediawiki admin)

Urbanecm merged a task: T214376: Add "oathauth-enable" to all user group rights by default on all Wikimedia wiki projects.Jan 22 2019, 1:04 PM
Urbanecm added subscribers: Tulsi_Bhagat, Dereckson, Jayprakash12345 and 4 others.
taavi subscribed.Mar 16 2019, 6:43 PM
RhinosF1 subscribed.Apr 3 2019, 10:10 PM
Lofhi subscribed.Apr 12 2019, 12:06 PM
Meisam subscribed.May 6 2019, 11:49 AM
Yyn1312 moved this task from Security/Abuse to Backlog on the Trust-and-Safety board.May 15 2019, 7:35 AM
Aklapper moved this task from Backlog to Security/Abuse on the Trust-and-Safety board.May 16 2019, 11:56 AM
94rain subscribed.Jun 11 2019, 4:34 AM
Rail subscribed.Aug 7 2019, 8:01 AM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
awight awarded a token.Jun 25 2020, 10:55 AM
awight subscribed.
awight added a comment.Jun 25 2020, 11:00 AM

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

Reedy added a comment.Jun 25 2020, 11:31 AM
In T166622#6256084, @awight wrote:

It's really a pain to enable 2FA on an account, because of a chicken-and-egg problem: The only users with oathauth-enable rights (allowing them to turn on 2FA) are those with elevated privileges—but you shouldn't have those privileges until 2FA is enabled!

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

The issues why we haven’t rolled it out widely are still the same

awight added a comment.Jun 25 2020, 2:36 PM
In T166622#6256156, @Reedy wrote:

There’s an oathauth-testers group for anyone that wants 2FA but isn’t in a priv group

Thanks, I'll paste a pointer here in case others find themselves in the same situation:
https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#Requests_for_2_Factor_Auth_tester_permissions

Evrifaessa subscribed.Jul 26 2020, 4:05 PM
alaa subscribed.Sep 30 2020, 12:05 PM
Base subscribed.Sep 30 2020, 12:13 PM
Meirae subscribed.Sep 30 2020, 2:52 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:02 PM
Smarti subscribed.Nov 16 2020, 11:11 PM
Reedy added a project: Goal.Feb 1 2021, 9:29 PM
Reedy mentioned this in T180896: Allow functionaries to reset second factor on low-risk accounts.
SpartacksCompatriot subscribed.May 16 2021, 3:14 PM
Zabe subscribed.Oct 31 2021, 1:16 AM
Stang subscribed.Mar 3 2022, 5:48 AM
IAmChaos subscribed.Jul 9 2022, 4:25 AM
TheresNoTime changed the status of subtask T180896: Allow functionaries to reset second factor on low-risk accounts from Stalled to Open.Sep 26 2022, 6:11 PM
PolyversialMind subscribed.Oct 6 2022, 8:41 PM
Ahm_masum subscribed.Jan 30 2023, 6:52 PM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Nov 30 2023, 5:58 PM
MaterialWorks subscribed.Dec 30 2023, 2:53 PM
Reedy closed subtask T150868: Expand recovery code instruction with advice to mark which codes you have used as Resolved.Jan 11 2024, 3:08 PM
Novem_Linguae subscribed.Apr 25 2024, 9:05 AM
Dalba awarded a token.Aug 29 2024, 3:53 AM
valerio.bozzolan subscribed.Oct 6 2024, 4:38 PM
Pppery moved this task from Analysis / under discussion to Blocked on development on the Wikimedia-Site-requests board.Oct 20 2024, 2:28 AM
Reedy closed subtask T131788: Users should be notified when only two recovery codes are left as Resolved.Nov 2 2024, 1:29 PM
A_smart_kitten subscribed.Nov 14 2024, 3:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits