Thanks for the good news about OATH.
Are WMF staff required to use some form of authentication in addtion to a
password for their email and other sensitive accounts? Now might be a good
time to look at the security of staff account access. I would think about
requiring Google's standard two factor authentication via password and cell
phone.
Of course mobile phone security should also be considered. Encrypting all
mobile phones (and other mobile devices like tablets and laptops) used for
Foundation business would be good as well.
Pine
Pine
On Aug 7, 2014 2:04 PM, "Chris Steipp" <csteipp(a)wikimedia.org> wrote:
On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo
<tylerromeo(a)gmail.com> wrote:
In terms of external authentication, we need
Extension:OpenID to catch
up to the OpenID standard in order to do that.
In terms of two-factor, I have like eight patches for Extension:OATHAuth
attempting to make it production-worthy.
Nice! I hadn't realized you had got so far on this. Maybe Ryan and I
can get those merged in...
To address Risker's comment, OATH is an open standard with lots of
tools to generate the tokens, so you can use a secure token if you
want to be more secure, or a browser plugin if you're just worried
about someone stealing your password (which would significantly help
our threat model in countries where we can't force https).
Client TLS certificates are sadly really hard to manage in any sort of
secure way, when you don't control the end user's machines.
--
Tyler Romeo
0x405D34A7C86B42DF
From: svetlana <svetlana(a)fastmail.com.au>
Reply: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>>
Date: August 6, 2014 at 7:57:12
To: wikitech-l(a)lists.wikimedia.org <wikitech-l(a)lists.wikimedia.org>>
Subject: Re: [Wikitech-l] News about stolen Internet credentials;
reducing
Wikimedia reliance on usernames and passwords
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if
Wikimedia should start taking
steps to reduce reliance on usernames and passwords.
What "steps" do you refer to, or is this intentionally vague?
Disallowing usernames and logins?
Two-step authentication/verification?
Something else?
andre
from what i could read and parse:
use less of external things like skype and google accounts
so that there is only 1 username for everything
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l