Hello,
I would like to do some major changes to two factor auth. I am cross posting this on phabricator and the mailing list to give it some more attention and to start some proper discussion before anyone starts working on this:
Right now there are only two options for two factor authentication:
* Don't use two-factor authentication (insecure) * Use two factor authentication (annoying as hell)
With two factor authentication it doesn't seem to be possible to make session persistent and it really is extremely annoying to look for your mobile phone, open the app and fill in the code everytime you want to do some simple wiki action. I am very lazy and even found myself to rather decide not to do a minor change (be it fix of typo correction etc. in article on English Wikipedia etc) rather than going through the hassle of using the google authenticator.
I think it would be really cool to have an option (or maybe even more of them?) that would help to specify when two factor auth is really desired, so that for example users could decide that for simple actions like wiki editing normal login would be sufficient, but for changes like:
* Change of password * Change of (some) preferences * Admin actions (block, delete etc.)
P.S. Unfortunately I no longer have so much free time to track every single thread in this mailing list, so maybe this is a duplicate of some older idea by someone else, if that's the case, please merge the phab task with whatever the other identical proposal is.
Thank you
Oh and I totally forgot to include link to phab task: https://phabricator.wikimedia.org/T201784
On Sun, Aug 12, 2018 at 6:47 PM, Petr Bena benapetr@gmail.com wrote:
Hello,
I would like to do some major changes to two factor auth. I am cross posting this on phabricator and the mailing list to give it some more attention and to start some proper discussion before anyone starts working on this:
Right now there are only two options for two factor authentication:
- Don't use two-factor authentication (insecure)
- Use two factor authentication (annoying as hell)
With two factor authentication it doesn't seem to be possible to make session persistent and it really is extremely annoying to look for your mobile phone, open the app and fill in the code everytime you want to do some simple wiki action. I am very lazy and even found myself to rather decide not to do a minor change (be it fix of typo correction etc. in article on English Wikipedia etc) rather than going through the hassle of using the google authenticator.
I think it would be really cool to have an option (or maybe even more of them?) that would help to specify when two factor auth is really desired, so that for example users could decide that for simple actions like wiki editing normal login would be sufficient, but for changes like:
- Change of password
- Change of (some) preferences
- Admin actions (block, delete etc.)
P.S. Unfortunately I no longer have so much free time to track every single thread in this mailing list, so maybe this is a duplicate of some older idea by someone else, if that's the case, please merge the phab task with whatever the other identical proposal is.
Thank you
Hi Petr,
Thank you for thinking about improvements to 2FA, the lack of session persistence makes me want to buy a paper encyclopedia.
Another issue to add to your list is that a lost 2FA device (plus lost scratch codes) requires admin help or someone with DB access, because the self-serve option asks for a 2FA code in order to disable. Most industry implementations allow a 2FA reset via primary email account as well as scratch codes. There are many bugs about this, and I can't tell if the design is a feature or bug. Here's an interesting suggestion for how to fix: https://phabricator.wikimedia.org/T180896
Regards, Adam
On Sun, Aug 12, 2018 at 9:48 AM Petr Bena benapetr@gmail.com wrote:
Oh and I totally forgot to include link to phab task: https://phabricator.wikimedia.org/T201784
On Sun, Aug 12, 2018 at 6:47 PM, Petr Bena benapetr@gmail.com wrote:
Hello,
I would like to do some major changes to two factor auth. I am cross posting this on phabricator and the mailing list to give it some more attention and to start some proper discussion before anyone starts working on this:
Right now there are only two options for two factor authentication:
- Don't use two-factor authentication (insecure)
- Use two factor authentication (annoying as hell)
With two factor authentication it doesn't seem to be possible to make session persistent and it really is extremely annoying to look for your mobile phone, open the app and fill in the code everytime you want to do some simple wiki action. I am very lazy and even found myself to rather decide not to do a minor change (be it fix of typo correction etc. in article on English Wikipedia etc) rather than going through the hassle of using the google authenticator.
I think it would be really cool to have an option (or maybe even more of them?) that would help to specify when two factor auth is really desired, so that for example users could decide that for simple actions like wiki editing normal login would be sufficient, but for changes like:
- Change of password
- Change of (some) preferences
- Admin actions (block, delete etc.)
P.S. Unfortunately I no longer have so much free time to track every single thread in this mailing list, so maybe this is a duplicate of some older idea by someone else, if that's the case, please merge the phab task with whatever the other identical proposal is.
Thank you
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Sun, Aug 12, 2018 at 6:47 PM Petr Bena benapetr@gmail.com wrote:
With two factor authentication it doesn't seem to be possible to make session persistent
Two-factor authentication does not affect how the session works. If you check "Remember me", the login will last for 180 days, whether you use two-factor authentication or not.
Am 13.08.2018 um 07:34 schrieb Gergo Tisza:
Two-factor authentication does not affect how the session works. If you check "Remember me", the login will last for 180 days, whether you use two-factor authentication or not.
Yea, works fine for me - and this is the first time I hear people complain that they constantly have to log in again with 2fa. This certainly isn't intentional. Sounds like a bug that only affacts a few people... or are people so used to pain and suffering that so few complain about it?
-- dnaiel
While there are two people in this thread complaining so i suspect its not that obscure, but this is also the first i have ever heard of it as well. Definitely something we need to track down.
-- Brian On Monday, August 13, 2018, Daniel Kinzler daniel.kinzler@wikimedia.de wrote:
Am 13.08.2018 um 07:34 schrieb Gergo Tisza:
Two-factor authentication does not affect how the session works. If you check "Remember me", the login will last for 180 days, whether you use two-factor authentication or not.
Yea, works fine for me - and this is the first time I hear people
complain that
they constantly have to log in again with 2fa. This certainly isn't
intentional.
Sounds like a bug that only affacts a few people... or are people so used
to
pain and suffering that so few complain about it?
-- dnaiel
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
2018-08-13 11:19 GMT+03:00 Daniel Kinzler daniel.kinzler@wikimedia.de:
Am 13.08.2018 um 07:34 schrieb Gergo Tisza:
Two-factor authentication does not affect how the session works. If you check "Remember me", the login will last for 180 days, whether you use two-factor authentication or not.
Yea, works fine for me - and this is the first time I hear people complain that they constantly have to log in again with 2fa. This certainly isn't intentional. Sounds like a bug that only affacts a few people... or are people so used to pain and suffering that so few complain about it?
Something like this has been happening for about a week with me.
Most of the time my session doesn't work across projects. If I log in to the English Wikipedia, I have to log in again to mediawiki.org, Hebrew Wikisource, and Wikidata, and every time I need to type teh 2FA token. It wasn't like this earlier.
I've been using 2FA since the password attack on May 4, but this only started happening to me last week.
I'm using Firefox 63 (Nightly).
-- Amir Elisha Aharoni · אָמִיר אֱלִישָׁע אַהֲרוֹנִי http://aharoni.wordpress.com “We're living in pieces, I want to live in peace.” – T. Moore
Hi,
I am not experiencing any issues with 2FA on my account. Maybe something related to cookie/browser?
Best regards.
On Mon, Aug 13, 2018 at 5:13 AM Amir E. Aharoni amir.aharoni@mail.huji.ac.il wrote:
Most of the time my session doesn't work across projects. If I log in to the English Wikipedia, I have to log in again to mediawiki.org, Hebrew Wikisource, and Wikidata [...]
This (old, erratic, hard to reproduce) bug can usually be fixed by logging out, and then clearing your cookies for all Wikimedia domains.
Apologies, "lack of session persistence" was a bad way to summarize what I've been seeing. My session persistence is usually fine, and lasts a while regardless of whether 2FA is enabled.
What I was complaining about is that 2FA has to be used every time I log in. There doesn't seem to be an industry standard yet, for example gmail asks for 2FA only every 30 days if you've previously authenticated on the same machine, but GitHub asks for 2FA on every login. Asking only once a month seems like a great compromise to consider.
-Adam
On Mon, Aug 13, 2018 at 10:21 AM Nick Wilson (Quiddity) < nwilson@wikimedia.org> wrote:
On Mon, Aug 13, 2018 at 5:13 AM Amir E. Aharoni amir.aharoni@mail.huji.ac.il wrote:
Most of the time my session doesn't work across projects. If I log in to the English Wikipedia, I have to log in again to mediawiki.org, Hebrew Wikisource, and Wikidata [...]
This (old, erratic, hard to reproduce) bug can usually be fixed by logging out, and then clearing your cookies for all Wikimedia domains.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Am 14.08.2018 um 08:53 schrieb Adam Wight:
What I was complaining about is that 2FA has to be used every time I log in. There doesn't seem to be an industry standard yet, for example gmail asks for 2FA only every 30 days if you've previously authenticated on the same machine, but GitHub asks for 2FA on every login. Asking only once a month seems like a great compromise to consider.
I guess most of us only log in every 30 days. Perhaps that's the difference?
-- daniel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 12/08/18 17:47, Petr Bena wrote:
Right now there are only two options for two factor authentication:
- Don't use two-factor authentication (insecure) * Use two factor
authentication (annoying as hell)
Has any thought been given to supporting alternate methods of 2FA, such as the FIDO Universal Second Factor (U2F)?
These reduce the time taken to authenticate the second factor to a couple of seconds (plug in, press one button), versus the smartphone TOTP apps (unlock phone, open app, find right code in list, type it in).
I'm aware there's a cost to the tokens, and I'm not suggesting there be a requirement on them, just an optional alternate for those who either already own one or are willing to spend around £10.
GitHub and Google both support U2F as an alternate to TOTP, and either method can be used when the second factor is required.
Cheers,
Simon
Yeah I wrote some code that got U2F support working through inside the OATHAuth extension, though I don't think it ever got to Gerrit.
On Tue, 14 Aug 2018, 10:31 Simon Walker, simon@stwalkerster.co.uk wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 12/08/18 17:47, Petr Bena wrote:
Right now there are only two options for two factor authentication:
- Don't use two-factor authentication (insecure) * Use two factor
authentication (annoying as hell)
Has any thought been given to supporting alternate methods of 2FA, such as the FIDO Universal Second Factor (U2F)?
These reduce the time taken to authenticate the second factor to a couple of seconds (plug in, press one button), versus the smartphone TOTP apps (unlock phone, open app, find right code in list, type it in).
I'm aware there's a cost to the tokens, and I'm not suggesting there be a requirement on them, just an optional alternate for those who either already own one or are willing to spend around £10.
GitHub and Google both support U2F as an alternate to TOTP, and either method can be used when the second factor is required.
Cheers,
Simon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQEcBAEBCAAGBQJbcqFdAAoJELPtp5HPJmI8+gYH/0LPkSS9Uz+yI5Cj5MdbKBR+ OKesFIbFnNWR6DmBC8CteIItuCqAlopDQ4+GhTpcp3LTIDFE+tIJuDJWpX1l+Smg GW0MQ6fj8ZUXETaFZeuEYKVBM6eD1t9c349H6Lv9zJEIUkvHlKq5rOgDijzMiVQa aYNBzOrFovdFgbRqh6BfJqNnZJ1CH5cZcAANndzBuv3AzGel/iTxSHzZ36ypmXAu wvbc8pJ9hWbVPPUwX8RIOmYKTUsfmLCzgySJMyMnkUJgRWB0h2ox1U3bszUZQzvD uLUZMR8Hv6/oIB6fHr6NWbMDVCg13a10pHNak7fSrlE7h1WKIOwe12Ixw8muYJQ= =y0jr -----END PGP SIGNATURE-----
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org