⚓ T150898 Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis

⚓ T150898 Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
Page Menu
Phabricator
Create Task
Maniphest
T150898
Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
Open, Medium
Public
Actions
Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Assigned To
None
Authored By
Jdforrester-WMF
Nov 16 2016, 9:29 PM
2016-11-16 21:29:24 (UTC+0)
Tags
MediaWiki-User-login-and-signup
(Backlog)
Wikimedia-Site-requests
(External)
Stewards-and-global-tools
(Untriaged)
Security
Sustainability (Incident Followup)
User-notice
(Already announced/Archive)
Referenced Files
None
Subscribers
1AmNobody24
A09
A_smart_kitten
Ahm_masum
Aklapper
alaa
Alex44019
View All 53 Subscribers
Description
For private and fishbowl wikis, probably
all accounts
For other wikis, on a case-by-case basis.
For SUL wikis, probably the "global groups" of
staff
sysadmin
s,
steward
s,
ombudsmen
s,
global-sysop
s,
abusefilter-helper
s,
interface-editor
s, and
founder
, and the local per-wiki equivalents (at least for
bureaucrat
checkuser
suppression
, and
interface-admin
).
For meta, various groups which can make changes with a global effect (like renamer or CentralNotice admin).
For wikitech, users with SSH keys.
This might require some or all of the same UX improvements that block
T166622: Allow all users on all wikis to use OATHAuth
Related incident:
Related:
{T209478}
T197160: All security-sensitive MediaWiki functionality should require elevated security
Details
Related Changes in Gerrit:
Subject
Repo
Branch
Lines +/-
Revert^2 "OATHAuth: Mark checkuser and suppress as requiring 2FA"
operations/mediawiki-config
master
+6
-2
OATHAuth: Mark checkuser and suppress as requiring 2FA
operations/mediawiki-config
master
+6
-2
Customize query in gerrit
Related Objects
Search...
Task Graph
Mentions
Status
Subtype
Assigned
Task
Restricted Task
Open
None
T150898
Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
Restricted Task
Declined
None
T197501
Make users without 2FA setup not have checkuser right regardless of their groups
Resolved
mszwarc
T150562
Be able to force OATHAuth for certain user groups
Resolved
EggRoll97
T265726
Assign oathauth-verify-user to bureaucrats on WMF wikis
Declined
None
T282624
Limit IA granting/revoking to stewards only
Restricted Task
Resolved
mszwarc
T391699
Add functionality to disallow bureaucrats who do not have 2fa enabled to grant certain privileged rights/groups
Resolved
mszwarc
T406544
Create a way to technically enforce policies for restricted groups
Resolved
mszwarc
T405575
Share logic between Special:UserRights and Special:GlobalGroupMembership
Resolved
mszwarc
T406003
Share the UI generation between Special:UserRights and Special:GlobalGroupMembership
Resolved
Tchanders
T404436
Investigate implementing requirements for membership of local groups
Resolved
Tchanders
T117884
Convert Special:UserRights to HTMLForm
Resolved
matmarex
T123935
Use CheckboxMultiSelectWidget (when it exists) in HTMLMultiSelectField
Resolved
matmarex
T117782
Implement CheckboxMultiselectWidget (and CheckboxMultiselectInputWidget)
Resolved
Huji
T153927
OOjs UI should allow disabling specific options of CheckboxMultiselectInputWidget
Resolved
Jayprakash12345
T204411
Introduce HTMLGlobalUserTextField::class for global users
Resolved
Reedy
T406547
Create service for checking conditions used by autopromote
Resolved
mszwarc
T407886
Create a service for validating whether a user can be added to a restricted group
Resolved
mszwarc
T407889
Update UserRequirementsConditionChecker to handle target users for UserGroupAssignmentService
Resolved
mszwarc
T408181
Update UserEditTracker to support users from remote wikis
Resolved
mszwarc
T408182
Update LocalUserRegistrationProvider to support users from remote wikis
Resolved
Niharika
T352871
Factor user registration loading to LocalUserRegistrationProvider
Resolved
mszwarc
T408184
Replace AutopromoteCondition hook with a more general one, which supports non-performer users and remote users
Resolved
Reedy
T409718
Remove $wgCheckUserGroupRequirements and related code
Resolved
Reedy
T409717
Configure temporary-account-viewer group to use RestrictedGroups config
Resolved
Tchanders
T409714
Update UserGroupAssignmentService to check restricted groups
Restricted Task
Open
None
T390386
Be able to force OATHAuth for certain global user groups
Open
None
T410076
Allow technically enforcing policies for restricted global groups
Resolved
mszwarc
T422119
Check restricted global groups when granting
Resolved
mszwarc
T422123
Support declaring conditions for global groups
Resolved
mszwarc
T422133
Make GlobalGroupAssignmentService check conditions for global groups
Resolved
mszwarc
T422138
Reflect the group restrictions on Special:GlobalUserRights
Resolved
mszwarc
T422605
Add 'scope' option in $wgRestrictedGroups
Open
mszwarc
T423074
Prevent members of a 2FA-enforced global group from disabling 2FA
Open
mszwarc
T423075
Display global group restrictions on Special:GlobalGroupPermissions
Resolved
mszwarc
T414907
Enforce 2FA-requiring groups using $wgRestrictedGroups
Resolved
mszwarc
T414909
Implement "has 2FA" as a condition for $wgRestrictedGroups
Resolved
mszwarc
T414911
Handle 2FA condition through UserRequirementsCondition hook
Resolved
mszwarc
T414912
Support private user group conditions
Resolved
mszwarc
T414913
Log attempts to grant 2FA-requiring groups to 2FA-less users
Resolved
mszwarc
T415491
Add a hook, which is triggered when adding user to restricted group with private conditions
Resolved
mszwarc
T414952
Prevent 2FA-required users from disabling their last 2FA method
Resolved
mszwarc
T416694
Investigate on how many wikis users have local groups
Resolved
mszwarc
T416859
Implement a service to check if 2FA is required for user
Resolved
mszwarc
T415883
Create a special page to generate additional recovery keys for other users
Resolved
mszwarc
T416484
Override notifications related to 2FA recovery, so that they refer to Wikimedia concepts
Resolved
mszwarc
T420200
Special:Recover2FAForUser should generate short-lived recovery codes
Resolved
mszwarc
T420201
OATHAuth: Add support for expiring recovery codes
Resolved
mszwarc
T416482
Update documentation on MediaWiki.org to reflect additions in PSI Daffodil sprint, related to 4.6.5 Tech enforcement
Resolved
mszwarc
T417880
Set OATH2FARequiredGroupRemovalPages value for Wikimedia cluster
Resolved
mszwarc
T417885
$wgRestrictedGroups: implement continuous checking of requirements
Resolved
mszwarc
T418579
Implement a maintenance script to demote users who don't meet conditions specified in $wgRestrictedGroups
Resolved
mszwarc
T6055
Interwiki rights logs should be duplicated at related wikis
Resolved
Ladsgroup
T422942
Consider fixing invalid titles in rights log (Meta-Wiki and ptwiki)
Resolved
mszwarc
T418580
Deploy 2FA requirement using $wgRestrictedGroups to Wikimedia production, instead of OATHAuth's custom config
Resolved
mszwarc
T419111
Send Echo notification to 2FA-less users who are required to have 2FA
Resolved
mszwarc
T420214
Ensure stewards are notified when checkusers and oversighters are automatically demoted due to lack of 2FA
Open
None
T420792
Allow 2FA to be enforced for all accounts on a private wiki
In Progress
Reedy
T423899
Create maintenance script to send notifications that they need to enable 2FA for continued access to the wiki
In Progress
Reedy
T423900
Create notification to tell users they need to enable 2FA on the wiki
Open
None
T424251
Make a maintenance script version of Special:Recover2FAForUser
Open
None
T424252
Create a maintenance script to make 2FA stats for a wiki (non blocked users)
Open
None
T423116
FY25-26 Q4: 2FA enforcement for local and global groups in Wikimedia production
Open
None
T423118
FY25-26 Q4: Phase 1 of 2FA enforcement in Wikimedia production
Open
None
T423119
FY25-26 Q4: Phase 2 of 2FA enforcement in Wikimedia production
Open
None
T423120
FY25-26 Q4: Phase 3 of 2FA enforcement in Wikimedia production
Mentioned In
T418579: Implement a maintenance script to demote users who don't meet conditions specified in $wgRestrictedGroups
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
T351901: Create special page where you can check if someone has 2FA turned on
T282624: Limit IA granting/revoking to stewards only
T265726: Assign oathauth-verify-user to bureaucrats on WMF wikis
T215046: RfC: Use Github login for mediawiki.org
T197160: All security-sensitive MediaWiki functionality should require elevated security
T197137: Editing sitewide JS/CSS pages should require elevated security
Mentioned Here
T232336: Separate recovery codes into a separate 2FA module
T391737: Require users to prove they saved their scratch codes
T150903: Alert sre/security on many 2FA failures
T151738: OATH code field should show numeric keyboard on mobile devices
T158379: Warn the user after a certain number of failed 2FA attempts
T203256: OATH (2FA) needs an option to remember device but not keep user logged in
T208668: Do not ask for password on reauthentication when 2FA is enabled
T232639: Get UX review for OATHAuth/WebAuthn
T289086: Allow iOS/macOS/iPadOS to autofill 2fa codes
T301992: Insert CheckUser row events during certain 2FA actions
T352864: Use Wikipedia Mobile app as 2FA?
T356004: Help password managers to detect TOTP login input
T358771: Unable to login on iPhone with Passkey Enabled
T363652: publicKey.pubKeyCredParams is missing at least one of the default algorithm identifiers: ES256 and RS256
T390386: Be able to force OATHAuth for certain global user groups
rOMWC74c6f82c8449: OATHAuth: Mark interface-admin as requiring 2FA
rEOAT498dcfeb80fc: Require OATHAuth for membership in specified user groups
T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB
T242031: Allow multiple different 2FA devices
T197160: All security-sensitive MediaWiki functionality should require elevated security
T197501: Make users without 2FA setup not have checkuser right regardless of their groups
T201784: Implement option "require two-factor authentication only for dangerous actions"
T150902: SMS based 2FA
T166622: Allow all users on all wikis to use OATHAuth
T131788: Users should be notified when only two recovery codes are left
T150601: Add option to generate new set of recovery codes
T180896: Allow functionaries to reset second factor on low-risk accounts
Event Timeline
There are a very large number of changes, so older changes are hidden.
Show Older Changes
jrbs
added a comment.
Mar 1 2022, 10:43 PM
2022-03-01 22:43:37 (UTC+0)
Comment Actions
In
T150898#7720672
@Legoktm
wrote:
@jrbs
@Reedy
, who should sign off on enabling this? And could we get a list of groups it should apply to? Note that we can currently only do it for local groups, not global ones.
I'm not totally sure. The usual blocker is bandwidth for undoing 2FA on request because we have no way to scale that at the moment. But it's obviously creating a weird world in which 2FA is required but not mandatory which is not ideal.
T&S has a bunch of other stuff to keep tabs on at the moment but I'll see what the team thinks at the moment.
sbassett
added a comment.
Mar 2 2022, 9:33 PM
2022-03-02 21:33:50 (UTC+0)
Comment Actions
In
T150898#7746049
@jrbs
wrote:
In
T150898#7720672
@Legoktm
wrote:
@jrbs
@Reedy
, who should sign off on enabling this? And could we get a list of groups it should apply to? Note that we can currently only do it for local groups, not global ones.
I'm not totally sure. The usual blocker is bandwidth for undoing 2FA on request because we have no way to scale that at the moment. But it's obviously creating a weird world in which 2FA is required but not mandatory which is not ideal.
T&S has a bunch of other stuff to keep tabs on at the moment but I'll see what the team thinks at the moment.
I'd agree that it's problematic to do this without
some
type of accompanying support process in place for when people lose devices, lose scratch codes, etc. since it's difficult or impossible to fully automate those re-verification steps at this time. For the non-wikitech wikis mentioned within the task description, enforcing 2FA for the suggested groups is just a config change, I believe, which could happen soon if folks find a greater value in having said config changes put into production over properly-defined and scaled support.
Legoktm
added a comment.
Edited
Mar 3 2022, 2:11 AM
2022-03-03 02:11:11 (UTC+0)
Comment Actions
In
T150898#7746049
@jrbs
wrote:
In
T150898#7720672
@Legoktm
wrote:
@jrbs
@Reedy
, who should sign off on enabling this? And could we get a list of groups it should apply to? Note that we can currently only do it for local groups, not global ones.
I'm not totally sure. The usual blocker is bandwidth for undoing 2FA on request because we have no way to scale that at the moment. But it's obviously creating a weird world in which 2FA is required but not mandatory which is not ideal.
T&S has a bunch of other stuff to keep tabs on at the moment but I'll see what the team thinks at the moment.
It would be nice if we could get updated statistics on how many users in these groups don't currently have 2FA enabled, as ideally that's how many more users will be "forced" to enable 2FA. If it's one or two people, I think the increased support burden is going to be pretty minimal and not worth delaying on. If it's a significant amount, then I think the support concern is very reasonable, but that we also have a lot of valuable accounts NOT protected by 2FA, which this change would hopefully remedy..
Relatedly, after I finish
T145915
, next on my list is working on
T242031: Allow multiple different 2FA devices
and siblings (have some WIP stuff locally), which I hope will reduce the support burden since it'll be harder for people to get locked out. Hopefully I will have time to get that done within the next month or so. We could also wait on that.
HouseBlaster
subscribed.
Oct 11 2022, 12:29 AM
2022-10-11 00:29:22 (UTC+0)
Ahm_masum
subscribed.
Jan 30 2023, 6:58 PM
2023-01-30 18:58:26 (UTC+0)
Zabe
added a comment.
Feb 5 2023, 3:37 PM
2023-02-05 15:37:03 (UTC+0)
Comment Actions
I think we can start enforcing 2FA for interface-admins, since we already require 2FA for those per policy.
sbassett
added a comment.
Feb 10 2023, 6:02 PM
2023-02-10 18:02:04 (UTC+0)
Comment Actions
In
T150898#8587901
@Zabe
wrote:
I think we can start enforcing 2FA for interface-admins, since we already require 2FA for those per policy.
We can, but that introduces at least a few hundred more users (e.g. P43319) into a system that has several critical, manual processes which still are not explicitly owned or fully-resourced by any WMF teams AFAIK.
MarcoAurelio
added a comment.
Feb 10 2023, 6:32 PM
2023-02-10 18:32:19 (UTC+0)
Comment Actions
Maybe this wasn't designed for the following use case, but how would this work for regular users in private wikis with read/write restricted (e.g. officewiki to name one)? If
rEOAT498dcfeb80fc: Require OATHAuth for membership in specified user groups
description is accurate (
"their membership in those groups will be disabled"
) it'd appear that enabling
$wgOATHRequiredForGroups
for the
user
group would prevent them from even log-in?
If the above is true, I'd say the user should be offered some limited-access to their user space (User, User Talk, subpages) and Special:Preferences so they can set up 2FA; while disallowing everything else until 2FA is enabled, including
read
access for the rest of the pages.
Novem_Linguae
subscribed.
Nov 23 2023, 5:27 PM
2023-11-23 17:27:31 (UTC+0)
Novem_Linguae
mentioned this in
T351901: Create special page where you can check if someone has 2FA turned on
Nov 23 2023, 5:29 PM
2023-11-23 17:29:49 (UTC+0)
Johannnes89
subscribed.
Jan 12 2024, 10:30 AM
2024-01-12 10:30:52 (UTC+0)
Novo_Tape
subscribed.
Feb 15 2024, 9:28 PM
2024-02-15 21:28:55 (UTC+0)
Daimona
subscribed.
Mar 28 2025, 1:57 PM
2025-03-28 13:57:39 (UTC+0)
Tgr
reopened subtask
T150562: Be able to force OATHAuth for certain user groups
as
Open
Mar 29 2025, 3:32 PM
2025-03-29 15:32:46 (UTC+0)
Tgr
added a comment.
Mar 29 2025, 3:35 PM
2025-03-29 15:35:03 (UTC+0)
Comment Actions
Was done for interface admins yesterday:
rOMWC74c6f82c8449: OATHAuth: Mark interface-admin as requiring 2FA
Tgr
added a subtask:
Restricted Task
Mar 29 2025, 3:36 PM
2025-03-29 15:36:22 (UTC+0)
Tgr
added a subtask:
T265726: Assign oathauth-verify-user to bureaucrats on WMF wikis
Tgr
added a subtask:
Restricted Task
Tgr
updated the task description.
(Show Details)
Mar 29 2025, 3:39 PM
2025-03-29 15:39:08 (UTC+0)
Comment Actions
One thing that I think would make a lot of sense conceptually is to require elevated security mode for everything (
T197160: All security-sensitive MediaWiki functionality should require elevated security
except
when you use 2FA. Good motivator as well.
Xaosflux
subscribed.
Mar 29 2025, 3:42 PM
2025-03-29 15:42:58 (UTC+0)
A_smart_kitten
subscribed.
Mar 29 2025, 3:47 PM
2025-03-29 15:47:21 (UTC+0)
Tgr
added a subtask:
T390386: Be able to force OATHAuth for certain global user groups
Mar 29 2025, 4:10 PM
2025-03-29 16:10:49 (UTC+0)
Nemoralis
subscribed.
Mar 29 2025, 4:16 PM
2025-03-29 16:16:26 (UTC+0)
gerritbot
added a comment.
Apr 1 2025, 9:06 PM
2025-04-01 21:06:55 (UTC+0)
Comment Actions
Change #1133245 had a related patch set uploaded (by SBassett; author: SBassett):
[operations/mediawiki-config@master] OATHAuth: Mark checkuser and suppress as requiring 2FA
gerritbot
added a project:
Patch-For-Review
Apr 1 2025, 9:06 PM
2025-04-01 21:06:55 (UTC+0)
Tgr
closed subtask
Restricted Task
as
Resolved
Apr 2 2025, 9:58 PM
2025-04-02 21:58:21 (UTC+0)
Xaosflux
added a comment.
Apr 2 2025, 10:11 PM
2025-04-02 22:11:57 (UTC+0)
Comment Actions
abusefilter-maintainer is likely more important than abusefilter-helper (the later is a read only group)
Pppery
added a project:
User-notice
Apr 3 2025, 4:15 PM
2025-04-03 16:15:59 (UTC+0)
Quiddity
moved this task from
To Triage
to
Announce in next Tech/News
on the
User-notice
board.
Apr 3 2025, 11:09 PM
2025-04-03 23:09:40 (UTC+0)
Johannnes89
added a comment.
Apr 4 2025, 7:56 AM
2025-04-04 07:56:14 (UTC+0)
Comment Actions
and
should be updated to reflect the changes for 2FA requirement/enforcement, once everything has been decided/implemented.
Quiddity
moved this task from
Announce in next Tech/News
to
In current Tech/News draft
on the
User-notice
board.
Apr 4 2025, 10:02 PM
2025-04-04 22:02:17 (UTC+0)
Izno
subscribed.
Apr 7 2025, 9:34 PM
2025-04-07 21:34:55 (UTC+0)
Comment Actions
In
T150898#10701397
@gerritbot
wrote:
Change #1133245 had a related patch set uploaded (by SBassett; author: SBassett):
[operations/mediawiki-config@master] OATHAuth: Mark checkuser and suppress as requiring 2FA
This needs messaging to the communities before it's made live. The expectation has been clear for interface admin for some time vice those two roles. This would be quite an extension (though my personal opinion is that it should be done).
TheresNoTime
subscribed.
Apr 7 2025, 10:07 PM
2025-04-07 22:07:18 (UTC+0)
1AmNobody24
subscribed.
Apr 8 2025, 5:10 AM
2025-04-08 05:10:29 (UTC+0)
Superpes15
subscribed.
Apr 8 2025, 8:06 PM
2025-04-08 20:06:28 (UTC+0)
Tgr
added a comment.
Apr 10 2025, 3:17 PM
2025-04-10 15:17:37 (UTC+0)
Comment Actions
A quick (subjective) review of the state of Wikimedia 2FA in terms of usability:
TOTP/both:
Potential scaling issues if more users use it and more account recovery needs to be done. (See
T180896: Allow functionaries to reset second factor on low-risk accounts
.) IIRC CU/OS would not be a significant increase; bureaucrats would be an order-of-magnitude increase.
2FA makes login more annoying because we are asking for it too often:
T203256: OATH (2FA) needs an option to remember device but not keep user logged in
T208668: Do not ask for password on reauthentication when 2FA is enabled
No autofill/typing support:
T356004: Help password managers to detect TOTP login input
T289086: Allow iOS/macOS/iPadOS to autofill 2fa codes
T151738: OATH code field should show numeric keyboard on mobile devices
WebAuthn:
In general it has never been seriously tested or reviewed. Not sure if we have a good sense of how well it works, other than with Yubikeys (which are used by several people, so that aspect is reasonably well-tested).
T232639: Get UX review for OATHAuth/WebAuthn
T242031: Allow multiple different 2FA devices
- probably the biggest issue now that login is single-domain. Cannot be used with the (less fragile) TOTP as a fallback, cannot be used with scratch tokens, you cannot use multiple devices... Thanks to
@taavi
this is close to getting fixed, though.
Support for more WebAuthn mechanisms:
T358771: Unable to login on iPhone with Passkey Enabled
T363652: publicKey.pubKeyCredParams is missing at least one of the default algorithm identifiers: ES256 and RS256
{T268384}
Other methods that might be easier to use:
T150902: SMS based 2FA
- there are pros and cons here, but I think even if we had this, we'd want to disallow it for high-value accounts as it's less secure. So for the purposes of this discussion, IMO moot.
T352864: Use Wikipedia Mobile app as 2FA?
Other issues:
limitations of the forcing mechanism:
T390386: Be able to force OATHAuth for certain global user groups
missing monitoring:
T150903: Alert sre/security on many 2FA failures
T158379: Warn the user after a certain number of failed 2FA attempts
T301992: Insert CheckUser row events during certain 2FA actions
sbassett
added a parent task:
Restricted Task
Apr 10 2025, 8:21 PM
2025-04-10 20:21:18 (UTC+0)
Quiddity
moved this task from
In current Tech/News draft
to
Already announced/Archive
on the
User-notice
board.
Apr 10 2025, 11:24 PM
2025-04-10 23:24:15 (UTC+0)
Sidishandsome
subscribed.
Apr 11 2025, 1:35 AM
2025-04-11 01:35:32 (UTC+0)
AntiCompositeNumber
subscribed.
Apr 12 2025, 3:05 AM
2025-04-12 03:05:48 (UTC+0)
AntiCompositeNumber
added a comment.
Apr 12 2025, 4:01 AM
2025-04-12 04:01:52 (UTC+0)
Comment Actions
Not represented in those tasks is the community perception that the MediaWiki 2FA implementation is fragile and prone to locking people out of their accounts because they lost their authentication device and their scratch codes don't work. Whether this was ever true is unknown, but I certainly know of multiple people who say it happened to them years ago. Those stories seem to be less prevalent now, but the perception (and the way we talk about 2FA) has not really changed.
Some of those lockouts were probably caused by users forgetting to save or update their scratch codes. I signed up for a website recently that after displaying the scratch codes, hid them and made me enter one to prove that I saved them correctly. That might be a good idea for MediaWiki as well --
T391737: Require users to prove they saved their scratch codes
Others lost their scratch codes and don't know it yet. Some websites prompt users to check their scratch codes yearly, which may also be a good idea. This is currently somewhat prevented by the decision in
T131788
T145915
that scratch codes should only be shown once. Retrieving my scratch codes from where they are stored would be annoying enough, having to update them yearly would be more annoying and might even cause more errors or insecure practices.
Ladsgroup
added a comment.
Apr 12 2025, 1:58 PM
2025-04-12 13:58:19 (UTC+0)
Comment Actions
FWIW, while I'm not saying our 2FA can't be improved but it's drastically much better than what it used to be. For example regarding scratch tokens, now there is a button to download a file containing those. I hope we can make even further improvements such as turning the txt file into a nice looking PDF ready for print but it's already quite an improvement.
Our 2FA UX is not perfect but it's not a disaster either.
Alex44019
subscribed.
Apr 12 2025, 2:14 PM
2025-04-12 14:14:21 (UTC+0)
Tgr
added a comment.
Apr 12 2025, 3:49 PM
2025-04-12 15:49:48 (UTC+0)
Comment Actions
In
T150898#10735724
@AntiCompositeNumber
wrote:
Whether this was ever true is unknown, but I certainly know of multiple people who say it happened to them years ago.
I imagine if it would be still happening, we'd hear about it? But maybe we could just ask people to test their scratch tokens by doing one scratch token based login. (In the UI they have been renamed to "recovery code", FWIW.) But maybe only after
T232336: Separate recovery codes into a separate 2FA module
(which itself is blocked on multi-device support).
I signed up for a website recently that after displaying the scratch codes, hid them and made me enter one to prove that I saved them correctly. [...] Some websites prompt users to check their scratch codes yearly
I think these are uncommon practices, none of the large sites where I have used scratch tokens do it. There's a bunch of other things we could do, like showing the number of tokens left (again, after
T232336: Separate recovery codes into a separate 2FA module
).
But mainly I think, we just need to support multiple devices. If you choose between TOTP, WebAuthn via your OS, WebAuthn via your mobile phone and scratch tokens, it's pretty unlikely all of those would break / get lost at the same time.
Nemoralis
unsubscribed.
Apr 12 2025, 4:31 PM
2025-04-12 16:31:59 (UTC+0)
jeremyb
subscribed.
May 4 2025, 11:18 AM
2025-05-04 11:18:41 (UTC+0)
gerritbot
added a comment.
May 20 2025, 11:06 AM
2025-05-20 11:06:32 (UTC+0)
Comment Actions
Change #1133245
merged
by jenkins-bot:
[operations/mediawiki-config@master] OATHAuth: Mark checkuser and suppress as requiring 2FA
Stashbot
added a comment.
May 20 2025, 11:06 AM
2025-05-20 11:06:55 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2025-05-20T11:06:54Z] Started scap sync-world: Backport for [[gerrit:1133245|OATHAuth: Mark checkuser and suppress as requiring 2FA (
T150898
T389727)]]
Stashbot
added a comment.
May 20 2025, 11:12 AM
2025-05-20 11:12:57 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2025-05-20T11:12:55Z] ladsgroup, sbassett: Backport for [[gerrit:1133245|OATHAuth: Mark checkuser and suppress as requiring 2FA (
T150898
T389727)]] synced to the testservers (see
). Changes can now be verified there.
Stashbot
added a comment.
May 20 2025, 11:20 AM
2025-05-20 11:20:56 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2025-05-20T11:20:52Z] Finished scap sync-world: Backport for [[gerrit:1133245|OATHAuth: Mark checkuser and suppress as requiring 2FA (
T150898
T389727)]] (duration: 13m 57s)
Maintenance_bot
removed a project:
Patch-For-Review
May 20 2025, 11:31 AM
2025-05-20 11:31:01 (UTC+0)
Sdrqaz
subscribed.
May 21 2025, 5:14 PM
2025-05-21 17:14:54 (UTC+0)
Comment Actions
This needs messaging to the communities before it's made live.
For the record,
it seems like individual CU/OS were not notified directly despite the change being in effect
sbassett
added a comment.
May 21 2025, 10:55 PM
2025-05-21 22:55:06 (UTC+0)
Comment Actions
Note that the above config change (
T150898#10838554
) has been reverted:
. The reasoning for this is that the WMF needs more time to sufficiently communicate to affected users.
EMill-WMF
subscribed.
May 22 2025, 2:11 PM
2025-05-22 14:11:33 (UTC+0)
Comment Actions
In
T150898#10845230
@Sdrqaz
wrote:
This needs messaging to the communities before it's made live.
For the record,
it seems like individual CU/OS were not notified directly despite the change being in effect
@Sdrqaz
Thanks for the poke - it led us to double-check internally, and we did in fact have an internal miscommunication that caused us to think we sent this email when we had not. We plan to send it out soon, and I just updated the Meta page to reflect a new deadline of June 3rd (2 more weeks).
gerritbot
added a comment.
Jun 3 2025, 8:37 PM
2025-06-03 20:37:30 (UTC+0)
Comment Actions
Change #1153351 had a related patch set uploaded (by SBassett; author: SBassett):
[operations/mediawiki-config@master] Revert^2 "OATHAuth: Mark checkuser and suppress as requiring 2FA"
gerritbot
added a project:
Patch-For-Review
Jun 3 2025, 8:37 PM
2025-06-03 20:37:31 (UTC+0)
gerritbot
added a comment.
Jun 3 2025, 9:09 PM
2025-06-03 21:09:16 (UTC+0)
Comment Actions
Change #1153351
merged
by jenkins-bot:
[operations/mediawiki-config@master] Revert^2 "OATHAuth: Mark checkuser and suppress as requiring 2FA"
Stashbot
added a comment.
Jun 3 2025, 9:09 PM
2025-06-03 21:09:40 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2025-06-03T21:09:39Z] Started scap sync-world: Backport for [[gerrit:1153351|Revert^2 "OATHAuth: Mark checkuser and suppress as requiring 2FA" (
T150898
)]]
Stashbot
added a comment.
Jun 3 2025, 9:11 PM
2025-06-03 21:11:44 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2025-06-03T21:11:43Z] mstyles, sbassett: Backport for [[gerrit:1153351|Revert^2 "OATHAuth: Mark checkuser and suppress as requiring 2FA" (
T150898
)]] synced to the testservers (see
). Changes can now be verified there.
Stashbot
added a comment.
Jun 3 2025, 9:21 PM
2025-06-03 21:21:11 (UTC+0)
Comment Actions
Mentioned in SAL (#wikimedia-operations)
[2025-06-03T21:21:11Z] Finished scap sync-world: Backport for [[gerrit:1153351|Revert^2 "OATHAuth: Mark checkuser and suppress as requiring 2FA" (
T150898
)]] (duration: 11m 31s)
Maintenance_bot
removed a project:
Patch-For-Review
Jun 3 2025, 9:32 PM
2025-06-03 21:32:32 (UTC+0)
LucasWerkmeister
mentioned this in
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
Jun 4 2025, 6:03 PM
2025-06-04 18:03:35 (UTC+0)
EggRoll97
changed the status of subtask
T265726: Assign oathauth-verify-user to bureaucrats on WMF wikis
from
Open
to
Stalled
Jun 23 2025, 8:05 PM
2025-06-23 20:05:50 (UTC+0)
EggRoll97
changed the status of subtask
T265726: Assign oathauth-verify-user to bureaucrats on WMF wikis
from
Stalled
to
In Progress
Jun 28 2025, 4:37 PM
2025-06-28 16:37:22 (UTC+0)
EggRoll97
closed subtask
T265726: Assign oathauth-verify-user to bureaucrats on WMF wikis
as
Resolved
Jul 2 2025, 1:18 PM
2025-07-02 13:18:16 (UTC+0)
ZhaoFJx
subscribed.
Jul 11 2025, 3:08 AM
2025-07-11 03:08:15 (UTC+0)
bd808
added a subtask:
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
Jul 15 2025, 8:45 PM
2025-07-15 20:45:09 (UTC+0)
bd808
closed subtask
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
as
Resolved
Tgr
reopened subtask
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
as
Open
Jul 15 2025, 9:25 PM
2025-07-15 21:25:54 (UTC+0)
bd808
renamed this task from
Force OATHAuth (2FA) for certain user groups in Wikimedia production
to
Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
Jul 15 2025, 9:44 PM
2025-07-15 21:44:22 (UTC+0)
mszwarc
added a subtask:
T414907: Enforce 2FA-requiring groups using $wgRestrictedGroups
Jan 19 2026, 8:51 AM
2026-01-19 08:51:22 (UTC+0)
TBurmeister
subscribed.
Jan 29 2026, 7:07 PM
2026-01-29 19:07:57 (UTC+0)
sgrabarczuk
subscribed.
Feb 10 2026, 2:19 PM
2026-02-10 14:19:13 (UTC+0)
Bugreporter
mentioned this in
T418579: Implement a maintenance script to demote users who don't meet conditions specified in $wgRestrictedGroups
Mar 3 2026, 2:00 AM
2026-03-03 02:00:38 (UTC+0)
A09
subscribed.
Mar 14 2026, 12:18 PM
2026-03-14 12:18:09 (UTC+0)
Catrope
created subtask
T420792: Allow 2FA to be enforced for all accounts on a private wiki
Mar 20 2026, 9:00 PM
2026-03-20 21:00:40 (UTC+0)
mszwarc
closed subtask
T150562: Be able to force OATHAuth for certain user groups
as
Resolved
Fri, Mar 27, 9:00 AM
2026-03-27 09:00:32 (UTC+0)
mszwarc
closed subtask
T414907: Enforce 2FA-requiring groups using $wgRestrictedGroups
as
Resolved
Fri, Mar 27, 12:00 PM
2026-03-27 12:00:20 (UTC+0)
mszwarc
subscribed.
Reedy
closed subtask
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
as
Declined
Tue, Mar 31, 9:15 AM
2026-03-31 09:15:29 (UTC+0)
Reedy
removed a subtask:
T396061: Groups requiring 2FA via $wgOATHRequiredForGroups do not clearly warn users without 2FA that their permissions were truncated
mszwarc
created subtask
T423116: FY25-26 Q4: 2FA enforcement for local and global groups in Wikimedia production
Mon, Apr 13, 11:20 AM
2026-04-13 11:20:46 (UTC+0)
mszwarc
closed subtask
Restricted Task
as
Resolved
Mon, Apr 13, 12:11 PM
2026-04-13 12:11:56 (UTC+0)
mszwarc
closed subtask
T197501: Make users without 2FA setup not have checkuser right regardless of their groups
as
Declined
Mon, Apr 13, 12:33 PM
2026-04-13 12:33:16 (UTC+0)
Log In to Comment
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct.
Wikimedia Foundation
Code of Conduct
Disclaimer
CC-BY-SA
GPL
Credits