This is really excellent. Thankyou!
Cheers,
Craig
On 13 November 2016 at 01:46, Steinsplitter Wiki <steinsplitter(a)wikipedia.de
wrote:
>
https://en.wikipedia.org/wiki/Wikipedia:Administrators%27_
> noticeboard#Two-Factor_Authentication_now_available_for_admins
>
> ________________________________
> Von: Wikimedia-l <wikimedia-l-bounces(a)lists.wikimedia.org> im Auftrag von
> Amir Ladsgroup <ladsgroup(a)gmail.com>
> Gesendet: Samstag, 12. November 2016 15:37
> An: Wikimedia Mailing List
> Betreff: Re: [Wikimedia-l] How should security of Wikimedia accounts be
> better?
>
> Emphasizing on this part of my message: "'Google Authenticator' *or
similar
> ones.*"
>
> On Sat, Nov 12, 2016 at 6:04 PM Vi to <vituzzu.wiki(a)gmail.com
wrote:
>
> > Actually I consider to be sensitive the google account linked to my
> mobile
> > phone :|
> >
> > also lots of people might have no compatible devices.
> >
> > Vito
> >
> > 2016-11-12 15:30 GMT+01:00 Amir Ladsgroup <ladsgroup(a)gmail.com>om>:
> >
> > > There is no need to store phone number at all.
> > > You need to install an app called "Google Authenticator" or
similar
> ones.
> > > Then you scan a QR code from a special page in Wikipedia. Then every
> time
> > > you want to login, you need to give username, password and a
> short-lived
> > > token the app gives you. See this for more details:
> > >
> >
https://lists.wikimedia.org/pipermail/labs-announce/2016-
> March/000104.html
> > >
> > >
> > >
> > > On Sat, Nov 12, 2016 at 5:38 PM Fæ <faewik(a)gmail.com
wrote:
> > >
> > > Good point Vito,
> > >
> > > I agree that mobile numbers are personal information. However, my
> > > understanding of the two-factor process would be that it can set up so
> > > that mobile numbers are *guaranteed* to never be logged or archived
> > > and only stored in a constrained way for a verification number to be
> > > issued. There are various ways of getting two-factor processes to
> > > work, so methods that do not rely on mobile numbers may suit
> > > volunteers that are worried about sending their mobile phone number to
> > > any server in the USA, where there are always questions about secret
> > > access and storage for government agencies.
> > >
> > > We can require that guarantees are given and transparently assured for
> > > how any personal information like this is handled by WMF implemented
> > > software. It could even be an area that requires legally meaningful
> > > assurance, or local processing to avoid, say, Europeans sending any
> > > personal data to the USA. ;-)
> > >
> > > Fae
> > >
> > > On 12 November 2016 at 13:53, Vi to <vituzzu.wiki(a)gmail.com
wrote:
> > > > My phone number is
something I consider highly sensitive. Linking
> this
> > > kind
> > > > of data to my online identity would be an unacceptable risk for me.
> > > >
> > > > Vito
> > > >
> > > > 2016-11-12 13:37 GMT+01:00 Amir Ladsgroup
<ladsgroup(a)gmail.com>om>:
> > > >
> > > >> As far as I know 2FA is already implemented and mandatory for WMF
> > staff
> > > >> accounts and wikitech accounts.
https://phabricator.wikimedia.
> > > org/T107605
> > > >>
> > > >> I emphasized on having 2fa for CUs, oversights and others with
> private
> > > data
> > > >> access:
https://phabricator.wikimedia.org/T107605#2570342
> > > >> Not sure what's blocking this.
> > > >>
> > > >> Best
> > > >>
> > > >> On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin <
> > > cfranklin(a)halonetwork.net
> > > >
> > > >
wrote:
> > >
>>
> > > >> > I know it's been said many times, but two-factor
authentication,
> > > >> mandatory
> > > >> > for accounts with advanced privileges and optionally
available for
> > > >> everyone
> > > >> > else, would seem to be a logical step. It's not
foolproof, but it
> > > would
> > > >> go
> > > >> > a long way to making us less of a soft target.
> > > >> >
> > > >> > Cheers,
> > > >> > Craig
> > > >> >
> > > >> > On 12 November 2016 at 22:22, Fæ <faewik(a)gmail.com
wrote:
> > > >> >
> > > >> > > Do any of the volunteers contributing to this list have
ideas
> for
> > > >> > > changes that may make a significant difference to
security?
> > > >> > >
> > > >> > > Yesterday saw Jimmy Wales' Wikipedia account getting
hacked, in
> > the
> > > >> > > process appearing to promote an organisation.[1] It was
not the
> > only
> > > >> > > account compromised. This is being analysed, though as
there are
> > > >> > > security issues being examined, the analysis has not
been made
> > > public
> > > >> > > so far; plus it's the weekend :-)
> > > >> > >
> > > >> > > Over the last few years, there have improvements on
account
> set-up
> > > and
> > > >> > > choice of passwords, along with user suggestions for
better
> > account
> > > >> > > management. Users can also chose to use committed
identities[2]
> to
> > > >> > > make account recovery easier, and are encouraged to use
more
> > secure
> > > >> > > passwords. Two-factor authentication,[3] such as using
mobile
> > phone
> > > >> > > text messages, has been suggested a few times by
volunteers, and
> > > this
> > > >> > > might be a good moment to encourage the WMF to have
better
> > > facilities
> > > >> > > built into the projects. We could even make two-factor
> > > identification
> > > >> > > a requirement for trusted users, such as
administrators,
> important
> > > >> > > bots, and "high profile" accounts, where they
may have special
> > > rights
> > > >> > > that could cause a fair amount of disruption if a hacked
account
> > > were
> > > >> > > not identified quickly. Considering that some
administrator
> > accounts
> > > >> > > can lie dormant for many months without the actual user
> monitoring
> > > it,
> > > >> > > these could end up being far more disruptive than
well-watched
> > > >> > > accounts like Jimmy's.
> > > >> > >
> > > >> > > We may want extra security to remain mostly optional,
keeping
> our
> > > >> > > projects simple to access. Education of new volunteers
and
> trusted
> > > >> > > users may be critical for making it effective, such as
avoiding
> > > social
> > > >> > > hacking. A clearer understanding of what the community
would
> want
> > to
> > > >> > > see improved would probably help set development
priorities.
> > > >> > >
> > > >> > > Links
> > > >> > > 1.
> >
https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
> > > >> > > 2.
https://en.wikipedia.org/wiki/Template:Committed_identity
> > > >> > > 3.
https://en.wikipedia.org/wiki/Multi-factor_authentication
> > > >> > >
> > > >> > > Thanks,
> > > >> > > Fae
> > > >> > > --
> > > >> > > faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
> > > >> > >
> > > >> > > _______________________________________________
> > > >> > > Wikimedia-l mailing list, guidelines at:
> > >
https://meta.wikimedia.org/
> > > >> > > wiki/Mailing_lists/Guidelines
> > > >> > > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > > >> > > Unsubscribe:
https://lists.wikimedia.org/
> > > mailman/listinfo/wikimedia-l
> > > ,
> > > >> > >
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=
> > > unsubscribe>
> > > >> > _______________________________________________
> > > >> > Wikimedia-l mailing list, guidelines at:
> > > >> >
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> > > >> > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > > >> > Unsubscribe:
> >
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > ,
> > > >> > <mailto:wikimedia-l-request@lists.wikimedia.org
> > ?subject=unsubscribe>
> > > >> _______________________________________________
> > > >> Wikimedia-l mailing list, guidelines at:
>
https://meta.wikimedia.org/
> > > >> wiki/Mailing_lists/Guidelines
> > > >> New messages to: Wikimedia-l(a)lists.wikimedia.org
> > > >> Unsubscribe:
https://lists.wikimedia.org/
> mailman/listinfo/wikimedia-l
> > ,
> > > >> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=
> unsubscribe>
> > >
> > > --
> > > faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
> > >
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
> > >
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> > > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> > > _______________________________________________
> > > Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
> > > wiki/Mailing_lists/Guidelines
> > > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > > <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> > >
> > _______________________________________________
> > Wikimedia-l mailing list, guidelines at:
> >
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> > New messages to: Wikimedia-l(a)lists.wikimedia.org
> > Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> > <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l(a)lists.wikimedia.org
> Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l(a)lists.wikimedia.org
> Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
>