I see this as not solving problems but creating
barriers to participation
- one is the complexity of the process
the more
complicated the systems the more opportunity for failures, more points of
access where data can be compromised, and the flip side the easier it is
for people to be locked out,
- its using 3rd party, no matter how good the system of the third party
why should I be using anything other than the WMF system to login, my
connection is with the WMF. Who is responsible if the connection is
compromised or my data misused by the third party regardless of which third
party used they need to know your user details to complete the loop in the
authentication .
- an authentication app is just inviting people to attempt to compromise
the account as you have already given them part of the process should you
lose your device
What I see could be a technical benefit has a dark side that is enabling
additional parties to monitor our activities even compromise them. I think
that "security" card is being played poorly here as anonymity in editing is
something we have always respected the 3rd party participation in
authentication appears to be stripping that away. Google and like minded
commercial companies only provide these free tools to gather data for their
own internal uses to enable them to better target the advertising that they
sell.
On 14 November 2016 at 08:10, Craig Franklin <cfranklin(a)halonetwork.net>
wrote:
This is really excellent. Thankyou!
Cheers,
Craig
On 13 November 2016 at 01:46, Steinsplitter Wiki <
steinsplitter(a)wikipedia.de
wrote:
https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_
noticeboard#Two-Factor_Authentication_now_available_for_admins
________________________________
Von: Wikimedia-l <wikimedia-l-bounces(a)lists.wikimedia.org> im Auftrag
von
Amir Ladsgroup <ladsgroup(a)gmail.com>
Gesendet: Samstag, 12. November 2016 15:37
An: Wikimedia Mailing List
Betreff: Re: [Wikimedia-l] How should security of Wikimedia accounts be
better?
Emphasizing on this part of my message: "'Google Authenticator' *or
similar
ones.*"
On Sat, Nov 12, 2016 at 6:04 PM Vi to <vituzzu.wiki(a)gmail.com> wrote:
Actually I consider to be sensitive the google
account linked to my
mobile
phone :|
also lots of people might have no compatible devices.
Vito
2016-11-12 15:30 GMT+01:00 Amir Ladsgroup <ladsgroup(a)gmail.com>om>:
> There is no need to store phone number at all.
> You need to install an app called "Google Authenticator" or similar
ones.
> Then you scan a QR code from a special page
in Wikipedia. Then every
time
> you want to login, you need to give
username, password and a
short-lived
March/000104.html
> >
> >
> >
> > On Sat, Nov 12, 2016 at 5:38 PM Fæ <faewik(a)gmail.com> wrote:
> >
> > Good point Vito,
> >
> > I agree that mobile numbers are personal information. However, my
> > understanding of the two-factor process would be that it can set up
so
> > that mobile numbers are *guaranteed* to
never be logged or archived
> > and only stored in a constrained way for a verification number to be
> > issued. There are various ways of getting two-factor processes to
> > work, so methods that do not rely on mobile numbers may suit
> > volunteers that are worried about sending their mobile phone number
to
> > any server in the USA, where there are
always questions about secret
> > access and storage for government agencies.
> >
> > We can require that guarantees are given and transparently assured
for
> how
any personal information like this is handled by WMF implemented
> software. It could even be an area that requires legally meaningful
> assurance, or local processing to avoid, say, Europeans sending any
> personal data to the USA. ;-)
>
> Fae
>
> On 12 November 2016 at 13:53, Vi to <vituzzu.wiki(a)gmail.com> wrote:
> > My phone number is something I consider highly sensitive. Linking
this
> kind
> > of data to my online identity would be an unacceptable risk for me.
> >
> > Vito
> >
> > 2016-11-12 13:37 GMT+01:00 Amir Ladsgroup <ladsgroup(a)gmail.com>om>:
> >
> >> As far as I know 2FA is already implemented and mandatory for WMF
staff
> >> accounts and wikitech accounts.
https://phabricator.wikimedia.
> org/T107605
> >>
> >> I emphasized on having 2fa for CUs, oversights and others with
private
> > data
> > >> access:
https://phabricator.wikimedia.org/T107605#2570342
> > >> Not sure what's blocking this.
> > >>
> > >> Best
> > >>
> > >> On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin <
> > cfranklin(a)halonetwork.net
> > >
> > >> wrote:
> > >>
> > >> > I know it's been said many times, but two-factor
authentication,
> > >> mandatory
> > >> > for accounts with advanced privileges and optionally available
for
> > >> everyone
> > >> > else, would seem to be a logical step. It's not foolproof,
but
it
>
would
> >> go
> >> > a long way to making us less of a soft target.
> >> >
> >> > Cheers,
> >> > Craig
> >> >
> >> > On 12 November 2016 at 22:22, Fæ <faewik(a)gmail.com> wrote:
> >> >
> >> > > Do any of the volunteers contributing to this list have ideas
for
> > >> > > changes that may make a significant difference to security?
> > >> > >
> > >> > > Yesterday saw Jimmy Wales' Wikipedia account getting
hacked,
in
> the
> > >> > > process appearing to promote an organisation.[1] It was not
the
> only
> > >> > > account compromised. This is being analysed, though as there
are
>
>> > > security issues being examined, the analysis has not been made
> public
> >> > > so far; plus it's the weekend :-)
> >> > >
> >> > > Over the last few years, there have improvements on account
set-up
> > and
> > >> > > choice of passwords, along with user suggestions for better
> account
> > >> > > management. Users can also chose to use committed
identities[2]
to
> > >> > > make account recovery easier, and are encouraged to use
more
> secure
> > >> > > passwords. Two-factor authentication,[3] such as using
mobile
> phone
> > >> > > text messages, has been suggested a few times by volunteers,
and
>
this
> >> > > might be a good moment to encourage the WMF to have better
> facilities
> >> > > built into the projects. We could even make two-factor
> identification
> >> > > a requirement for trusted users, such as administrators,
important
> > >> > > bots, and "high profile" accounts, where they may
have special
> > rights
> > >> > > that could cause a fair amount of disruption if a hacked
account
>
were
> >> > > not identified quickly. Considering that some administrator
accounts
> >> > > can lie dormant for many months without the actual user
monitoring
> it,
> >> > > these could end up being far more disruptive than well-watched
> >> > > accounts like Jimmy's.
> >> > >
> >> > > We may want extra security to remain mostly optional, keeping
our
> >> > > projects simple to
access. Education of new volunteers and
trusted
> > >> > > users may be critical for making it effective, such as
avoiding
>
social
> >> > > hacking. A clearer understanding of what the community would
want
to
> >> > > see improved would probably help set development priorities.
> >> > >
> >> > > Links
> >> > > 1.
https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
> >> > > 2.
https://en.wikipedia.org/wiki/Template:Committed_identity
> >> > > 3.
https://en.wikipedia.org/wiki/Multi-factor_authentication
> >> > >
> >> > > Thanks,
> >> > > Fae
> >> > > --
> >> > > faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
> >> > >
> >> > > _______________________________________________
> >> > > Wikimedia-l mailing list, guidelines at:
>
https://meta.wikimedia.org/
> >> > > wiki/Mailing_lists/Guidelines
> >> > > New messages to: Wikimedia-l(a)lists.wikimedia.org
> >> > > Unsubscribe:
https://lists.wikimedia.org/
> mailman/listinfo/wikimedia-l
> ,
> >> > > <mailto:wikimedia-l-request@lists.wikimedia.org?subject=
> unsubscribe>
> >> > _______________________________________________
> >> > Wikimedia-l mailing list, guidelines at:
> >> >
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> >> > New messages to: Wikimedia-l(a)lists.wikimedia.org
> >> > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> ,
> >> > <mailto:wikimedia-l-request@lists.wikimedia.org
?subject=unsubscribe>
> >> _______________________________________________
> >> Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
> >> wiki/Mailing_lists/Guidelines
> >> New messages to: Wikimedia-l(a)lists.wikimedia.org
> >> Unsubscribe:
https://lists.wikimedia.org/
mailman/listinfo/wikimedia-l
,
> >> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=
unsubscribe>
> >
> > --
> > faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
> >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> >
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > Unsubscribe:
https://lists.wikimedia.org/ mailman/listinfo/wikimedia-l,
> >
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
> > wiki/Mailing_lists/Guidelines
> > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > Unsubscribe:
https://lists.wikimedia.org/ mailman/listinfo/wikimedia-l,
>
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: