On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo tylerromeo@gmail.com wrote:
In terms of external authentication, we need Extension:OpenID to catch up to the OpenID standard in order to do that.
In terms of two-factor, I have like eight patches for Extension:OATHAuth attempting to make it production-worthy.
Nice! I hadn't realized you had got so far on this. Maybe Ryan and I can get those merged in...
To address Risker's comment, OATH is an open standard with lots of tools to generate the tokens, so you can use a secure token if you want to be more secure, or a browser plugin if you're just worried about someone stealing your password (which would significantly help our threat model in countries where we can't force https).
Client TLS certificates are sadly really hard to manage in any sort of secure way, when you don't control the end user's machines.
-- Tyler Romeo 0x405D34A7C86B42DF
From: svetlana svetlana@fastmail.com.au Reply: Wikimedia developers wikitech-l@lists.wikimedia.org> Date: August 6, 2014 at 7:57:12 To: wikitech-l@lists.wikimedia.org wikitech-l@lists.wikimedia.org> Subject: Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords
On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote:
On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote:
After reading this [1] I am wondering if Wikimedia should start taking steps to reduce reliance on usernames and passwords.
What "steps" do you refer to, or is this intentionally vague? Disallowing usernames and logins? Two-step authentication/verification? Something else?
andre
from what i could read and parse: use less of external things like skype and google accounts so that there is only 1 username for everything
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l