Page MenuHomePhabricator
Create Task
Maniphest T232336

Separate recovery codes into a separate MFA method
Open, Needs TriagePublic
Actions

Description

We should separate the Recovery codes from OATHAuth into a separate MFA authentication module and detach if from the TOTP method as WebAuthn does not have a (self) recovery method of its own.

See also: T218214#5474912

Related Objects
Search...

Event Timeline

TheDJ created this task.Sep 9 2019, 1:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 9 2019, 1:47 PM
Reedy subscribed.Sep 9 2019, 4:33 PM

I think then having this "backup/recovery code" module to be enable if one (or more) MFA methods are enabled... Makes complete sense

This might make T150601: Add option to generate new set of recovery codes easier too

TheDJ added a comment.EditedSep 9 2019, 7:28 PM

One problem, the current database structure only allows one set of 2fa credentials per user.... :(

id int(11) PK

where id is user_id

Reedy added a comment.Sep 9 2019, 7:40 PM

We have a decent size blob we can use though...

Reedy added a comment.Sep 10 2019, 12:07 AM
In T232336#5476334, @TheDJ wrote:

One problem, the current database structure only allows one set of 2fa credentials per user.... :(

id int(11) PK

where id is user_id

I do wonder if we can drop the module column, and just have that as part of the data....

AntiCompositeNumber subscribed.Jan 6 2020, 9:34 PM
Paladox subscribed.Jan 6 2020, 9:40 PM
Reedy mentioned this in T242031: Allow multiple different 2FA devices.Jan 6 2020, 9:47 PM
Reedy mentioned this in T244348: Recovery option for WebAuthn.Feb 5 2020, 6:57 PM
jeblad subscribed.May 23 2020, 12:02 PM
FozzieHey subscribed.Aug 9 2020, 12:57 PM
mdaniels5757 subscribed.Aug 9 2020, 5:55 PM
Stang subscribed.Jan 7 2022, 11:02 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Feb 17 2022, 3:36 PM
Legoktm mentioned this in T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB.Feb 18 2022, 8:59 AM
Legoktm added a subtask: T242031: Allow multiple different 2FA devices.Feb 18 2022, 9:54 AM
Legoktm added a parent task: T150601: Add option to generate new set of recovery codes.Feb 18 2022, 10:00 AM
Xaosflux subscribed.Feb 18 2022, 10:48 AM
deryckchan awarded a token.Feb 18 2022, 11:04 AM
Dringsim subscribed.Sep 24 2023, 1:04 PM
Reedy renamed this task from Separate recovery codes into a separate MFA method to Separate scratch/recovery codes into a separate MFA method.Dec 6 2023, 12:39 PM
Reedy mentioned this in T352855: Factor scratch tokens into own 2FA method.
Reedy merged a task: T352855: Factor scratch tokens into own 2FA method.
Reedy added a parent task: T244348: Recovery option for WebAuthn.
Reedy added a parent task: T352856: Recovery code improvements.Dec 6 2023, 12:44 PM
Reedy moved this task from User Experience to New 2FA Methods on the MediaWiki-extensions-OATHAuth board.
Reedy renamed this task from Separate scratch/recovery codes into a separate MFA method to Separate recovery codes into a separate MFA method.Jan 1 2024, 8:54 PM
Reedy updated the task description. (Show Details)
taavi added a parent task: T356004: Help password managers to detect TOTP login input.Apr 20 2024, 10:22 AM
Reedy mentioned this in T245027: Enable downloading recovery codes for two-factor (TOTP).May 14 2024, 5:17 PM
Tol subscribed.Jun 25 2024, 10:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits