Thanks for the good news about OATH.
Are WMF staff required to use some form of authentication in addtion to a password for their email and other sensitive accounts? Now might be a good time to look at the security of staff account access. I would think about requiring Google's standard two factor authentication via password and cell phone.
Of course mobile phone security should also be considered. Encrypting all mobile phones (and other mobile devices like tablets and laptops) used for Foundation business would be good as well.
Pine
Pine On Aug 7, 2014 2:04 PM, "Chris Steipp" csteipp@wikimedia.org wrote:
On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo tylerromeo@gmail.com wrote:
In terms of external authentication, we need Extension:OpenID to catch
up to the OpenID standard in order to do that.
In terms of two-factor, I have like eight patches for Extension:OATHAuth
attempting to make it production-worthy.
Nice! I hadn't realized you had got so far on this. Maybe Ryan and I can get those merged in...
To address Risker's comment, OATH is an open standard with lots of tools to generate the tokens, so you can use a secure token if you want to be more secure, or a browser plugin if you're just worried about someone stealing your password (which would significantly help our threat model in countries where we can't force https).
Client TLS certificates are sadly really hard to manage in any sort of secure way, when you don't control the end user's machines.
-- Tyler Romeo 0x405D34A7C86B42DF
From: svetlana svetlana@fastmail.com.au Reply: Wikimedia developers wikitech-l@lists.wikimedia.org> Date: August 6, 2014 at 7:57:12 To: wikitech-l@lists.wikimedia.org wikitech-l@lists.wikimedia.org> Subject: Re: [Wikitech-l] News about stolen Internet credentials;
reducing Wikimedia reliance on usernames and passwords
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords.
What "steps" do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else?
andre
from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l