As far as I know 2FA is already implemented and mandatory for WMF staff
accounts and wikitech accounts.
I emphasized on having 2fa for CUs, oversights and others with private data
access:
Not sure what's blocking this.
Best
On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin <cfranklin(a)halonetwork.net>
wrote:
I know it's been said many times, but two-factor
authentication, mandatory
for accounts with advanced privileges and optionally available for everyone
else, would seem to be a logical step. It's not foolproof, but it would go
a long way to making us less of a soft target.
Cheers,
Craig
On 12 November 2016 at 22:22, Fæ <faewik(a)gmail.com> wrote:
Do any of the volunteers contributing to this
list have ideas for
changes that may make a significant difference to security?
Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the
process appearing to promote an organisation.[1] It was not the only
account compromised. This is being analysed, though as there are
security issues being examined, the analysis has not been made public
so far; plus it's the weekend :-)
Over the last few years, there have improvements on account set-up and
choice of passwords, along with user suggestions for better account
management. Users can also chose to use committed identities[2] to
make account recovery easier, and are encouraged to use more secure
passwords. Two-factor authentication,[3] such as using mobile phone
text messages, has been suggested a few times by volunteers, and this
might be a good moment to encourage the WMF to have better facilities
built into the projects. We could even make two-factor identification
a requirement for trusted users, such as administrators, important
bots, and "high profile" accounts, where they may have special rights
that could cause a fair amount of disruption if a hacked account were
not identified quickly. Considering that some administrator accounts
can lie dormant for many months without the actual user monitoring it,
these could end up being far more disruptive than well-watched
accounts like Jimmy's.
We may want extra security to remain mostly optional, keeping our
projects simple to access. Education of new volunteers and trusted
users may be critical for making it effective, such as avoiding social
hacking. A clearer understanding of what the community would want to
see improved would probably help set development priorities.
Links
1.
https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
2.
https://en.wikipedia.org/wiki/Template:Committed_identity
3.
https://en.wikipedia.org/wiki/Multi-factor_authentication
Thanks,
Fae
--
faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>