Actually I consider to be sensitive the google account
linked to my mobile
phone :|
also lots of people might have no compatible devices.
Vito
2016-11-12 15:30 GMT+01:00 Amir Ladsgroup <ladsgroup(a)gmail.com>om>:
There is no need to store phone number at all.
You need to install an app called "Google Authenticator" or similar ones.
Then you scan a QR code from a special page in Wikipedia. Then every time
you want to login, you need to give username, password and a short-lived
token the app gives you. See this for more details:
https://lists.wikimedia.org/pipermail/labs-announce/2016-March/000104.html
On Sat, Nov 12, 2016 at 5:38 PM Fæ <faewik(a)gmail.com> wrote:
Good point Vito,
I agree that mobile numbers are personal information. However, my
understanding of the two-factor process would be that it can set up so
that mobile numbers are *guaranteed* to never be logged or archived
and only stored in a constrained way for a verification number to be
issued. There are various ways of getting two-factor processes to
work, so methods that do not rely on mobile numbers may suit
volunteers that are worried about sending their mobile phone number to
any server in the USA, where there are always questions about secret
access and storage for government agencies.
We can require that guarantees are given and transparently assured for
how any personal information like this is handled by WMF implemented
software. It could even be an area that requires legally meaningful
assurance, or local processing to avoid, say, Europeans sending any
personal data to the USA. ;-)
Fae
On 12 November 2016 at 13:53, Vi to
<vituzzu.wiki(a)gmail.com> wrote:
My phone number is something I consider highly sensitive. Linking this
kind
of data to my online identity would be an
unacceptable risk for me.
Vito
2016-11-12 13:37 GMT+01:00 Amir Ladsgroup <ladsgroup(a)gmail.com>om>:
> As far as I know 2FA is already implemented and mandatory for WMF staff
> accounts and wikitech accounts.
https://phabricator.wikimedia.
org/T107605
>
> I emphasized on having 2fa for CUs, oversights and others with private
data
> access:
https://phabricator.wikimedia.org/T107605#2570342
> Not sure what's blocking this.
>
> Best
>
> On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin <
cfranklin(a)halonetwork.net
> wrote:
>
>> I know it's been said many times, but two-factor authentication,
> mandatory
>> for accounts with advanced privileges and optionally available for
> everyone
>> else, would seem to be a logical step. It's not foolproof, but it
would
> go
>> a long way to making us less of a soft target.
>>
>> Cheers,
>> Craig
>>
>>> On 12 November 2016 at 22:22, Fæ <faewik(a)gmail.com> wrote:
>>>
>>> Do any of the volunteers contributing to this list have ideas for
>>> changes that may make a significant difference to security?
>>>
>>> Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the
>>> process appearing to promote an organisation.[1] It was not the only
>>> account compromised. This is being analysed, though as there are
>>> security issues being examined, the analysis has not been made
public
>>> so far; plus it's the weekend
:-)
>>>
>>> Over the last few years, there have improvements on account set-up
and
>>> choice of passwords, along with user
suggestions for better account
>>> management. Users can also chose to use committed identities[2] to
>>> make account recovery easier, and are encouraged to use more secure
>>> passwords. Two-factor authentication,[3] such as using mobile phone
>>> text messages, has been suggested a few times by volunteers, and
this
>>> might be a good moment to encourage
the WMF to have better
facilities
>>> built into the projects. We could
even make two-factor
identification
>>> a requirement for trusted users, such
as administrators, important
>>> bots, and "high profile" accounts, where they may have special
rights
>>> that could cause a fair amount of
disruption if a hacked account
were
>>> not identified quickly. Considering
that some administrator accounts
>>> can lie dormant for many months without the actual user monitoring
it,
>>> these could end up being far more
disruptive than well-watched
>>> accounts like Jimmy's.
>>>
>>> We may want extra security to remain mostly optional, keeping our
>>> projects simple to access. Education of new volunteers and trusted
>>> users may be critical for making it effective, such as avoiding
social
>>> hacking. A clearer understanding of
what the community would want to
>>> see improved would probably help set development priorities.
>>>
>>> Links
>>> 1.
https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised
>>> 2.
https://en.wikipedia.org/wiki/Template:Committed_identity
>>> 3.
https://en.wikipedia.org/wiki/Multi-factor_authentication
>>>
>>> Thanks,
>>> Fae
>>> --
>>> faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
>>>
>>> _______________________________________________
>>> Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
>>> wiki/Mailing_lists/Guidelines
>>> New messages to: Wikimedia-l(a)lists.wikimedia.org
>>> Unsubscribe:
https://lists.wikimedia.org/
mailman/listinfo/wikimedia-l
,
>>>
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=
unsubscribe>
>>
_______________________________________________
>> Wikimedia-l mailing list, guidelines at:
>>
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
>> New messages to: Wikimedia-l(a)lists.wikimedia.org
>> Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ,
>>
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: Wikimedia-l(a)lists.wikimedia.org
> Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
--
faewik(a)gmail.com
https://commons.wikimedia.org/wiki/User:Fae
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: