Hi Petr,
Thank you for thinking about improvements to 2FA, the lack of session persistence makes me want to buy a paper encyclopedia.
Another issue to add to your list is that a lost 2FA device (plus lost scratch codes) requires admin help or someone with DB access, because the self-serve option asks for a 2FA code in order to disable. Most industry implementations allow a 2FA reset via primary email account as well as scratch codes. There are many bugs about this, and I can't tell if the design is a feature or bug. Here's an interesting suggestion for how to fix: https://phabricator.wikimedia.org/T180896
Regards, Adam
On Sun, Aug 12, 2018 at 9:48 AM Petr Bena benapetr@gmail.com wrote:
Oh and I totally forgot to include link to phab task: https://phabricator.wikimedia.org/T201784
On Sun, Aug 12, 2018 at 6:47 PM, Petr Bena benapetr@gmail.com wrote:
Hello,
I would like to do some major changes to two factor auth. I am cross posting this on phabricator and the mailing list to give it some more attention and to start some proper discussion before anyone starts working on this:
Right now there are only two options for two factor authentication:
- Don't use two-factor authentication (insecure)
- Use two factor authentication (annoying as hell)
With two factor authentication it doesn't seem to be possible to make session persistent and it really is extremely annoying to look for your mobile phone, open the app and fill in the code everytime you want to do some simple wiki action. I am very lazy and even found myself to rather decide not to do a minor change (be it fix of typo correction etc. in article on English Wikipedia etc) rather than going through the hassle of using the google authenticator.
I think it would be really cool to have an option (or maybe even more of them?) that would help to specify when two factor auth is really desired, so that for example users could decide that for simple actions like wiki editing normal login would be sufficient, but for changes like:
- Change of password
- Change of (some) preferences
- Admin actions (block, delete etc.)
P.S. Unfortunately I no longer have so much free time to track every single thread in this mailing list, so maybe this is a duplicate of some older idea by someone else, if that's the case, please merge the phab task with whatever the other identical proposal is.
Thank you
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l