Community Wishlist Survey 2023/Anti-harassment/Minimize Wikimedia/Wikipedia's risk by enforcing 2FA on 'Mandatory Use User' groups
Minimize Wikimedia/Wikipedia's risk by enforcing 2FA on 'Mandatory Use User' groups
- Problem: Even though we know, It's extremely important for administrators and editors with advanced permissions to keep their accounts secure, Not everyone in the Mandatory use user groups & SSH key Wikitech users had been enabled 2FA security in their account. If any of these accounts are compromised, it could cause widespread disruption and vandalism in Wikimedia/Wikipedia.
- Proposed solution:
- Implement T242031. Minimize the situation where people get locked out of their accounts, as much as possible.
- Give them a private message and a month to familiarize themselves with 2FA.
- Then add them to $wgOATHRequiredForGroups. Prevent them from using their rights until they enable 2FA.
- If we can implement it smartly, then Foundation won't be needing any paid staff to act as support representatives.
- Who would benefit: It will minimize Wikimedia/Wikipedia's risk of being compromised.
- More comments: This way, we can get one step closer to making this possible for all concerned editors. The security team and community tech team should work together on this community wish.
- Phabricator tickets: T150898, T242031
- Proposer: MASUM THE GREAT (talk) 23:19, 30 January 2023 (UTC)
Discussion
-
Just a demo notification. Getting the credentials for these accounts is improbable but not impossible.
-
If any ill-intention expert hacker can get access for 10 minutes in any of these accounts, just imagine how much damage could be done to Wikimedia web sister projects!
-
By not enabling 2FA (or improving security) on these accounts, we are actually challenging non-admirer hackers to use brute-force cracking or other methods.
This was a wish on the previous 2019 wishlist survey, proposed by MASUM THE GREAT, and ranked #10.--MASUM THE GREAT (talk) 15:03, 1 February 2023 (UTC)
- This probably should be in the Anti-harassment section, not Multimedia and Commons? And the more relevant task is T150898 I think. --Tgr (talk) 02:15, 1 February 2023 (UTC)
- Someone, please do that. Many thanks. -- MASUM THE GREAT (talk) 08:41, 1 February 2023 (UTC)
- @Tgr and Ahm masum: Moved, and the other Phabricator task added. Thanks! SWilson (WMF) (talk) 12:29, 1 February 2023 (UTC)
- Disagree that this should be in anti-harassment, unless every single security issue is also in anti-harassment. There's no harassment element in people failing to use 2FA. This is targeted at users who are already *supposed* to have 2FA in place; the overwhelming majority of them keep 2FA in place once they have it, so there's no reason that a hypothetical hacker would go after specific accounts. Risker (talk) 03:29, 21 February 2023 (UTC)
- @Risker: We've already established a conscious, which is why they're called "Mandatory Use User" groups. We don't need to make the same conscious again. So can you tell me, why just 'majority', not 'all' required account holders? Can you, or any advanced permission holder, guarantee us that the current non-enabling state is a 0% security loophole? Are these non-2FA advanced permission holders not a threat to our platform with each passing day?
Yes. I agree. To make a long term effective mass implimentainon we need to rethink/redesigh our current 2FA mathod. We must have to make it as per industry standard, automative as much as possible. We also have to keep in mind that, as a nonprofit charitable organization, we have limited resources. We can't afford to hire too many paid support representatives. -- ~ MASUM THE GREAT (talk) 13:08, 21 February 2023 (UTC)- Large-scale websites like this, always attract non-admirers, ill-intentioned people who want to do harm. They don't need Steward credentials. Getting access to any wiki Homepage/Database for 20 minutes through any one of the advanced account holders would be enough for them to tarnish Wikipedia/wikimedia's reputation. We've already seen how we've gotten negative news coverage for silly little mistakes or through vandals.
- Yes. We will wait for a redesigned 2FA. But in the meantime, leaving a 'security loophole' in our platform isn't a wise decision. Is it, @Risker ? -- ~ MASUM THE GREAT (talk) 13:57, 21 February 2023 (UTC)
- Large-scale websites like this, always attract non-admirers, ill-intentioned people who want to do harm. They don't need Steward credentials. Getting access to any wiki Homepage/Database for 20 minutes through any one of the advanced account holders would be enough for them to tarnish Wikipedia/wikimedia's reputation. We've already seen how we've gotten negative news coverage for silly little mistakes or through vandals.
- @Risker: We've already established a conscious, which is why they're called "Mandatory Use User" groups. We don't need to make the same conscious again. So can you tell me, why just 'majority', not 'all' required account holders? Can you, or any advanced permission holder, guarantee us that the current non-enabling state is a 0% security loophole? Are these non-2FA advanced permission holders not a threat to our platform with each passing day?
- Disagree that this should be in anti-harassment, unless every single security issue is also in anti-harassment. There's no harassment element in people failing to use 2FA. This is targeted at users who are already *supposed* to have 2FA in place; the overwhelming majority of them keep 2FA in place once they have it, so there's no reason that a hypothetical hacker would go after specific accounts. Risker (talk) 03:29, 21 February 2023 (UTC)
- @Tgr and Ahm masum: Moved, and the other Phabricator task added. Thanks! SWilson (WMF) (talk) 12:29, 1 February 2023 (UTC)
- Someone, please do that. Many thanks. -- MASUM THE GREAT (talk) 08:41, 1 February 2023 (UTC)
- This proposal
shouldmust not be implemented without quite a few improvements to the 2FA process as is, in terms of set-up, use, support, how to handle globally, amongst others. Nosebagbear (talk) 13:28, 1 February 2023 (UTC)- The people who would be affected by this proposal are already required by Foundation policy to have 2FA enabled. This would make it a technical requirement, rather than a social one. Yes, those issues need to be addressed, but this would not make the current situation any worse. HouseBlaster (talk) 21:40, 2 February 2023 (UTC)
- Stewards/WMF Staff could have a routine audit process on this today - would likely catch most deviations. — xaosflux Talk 15:04, 12 February 2023 (UTC)
- @Xaosflux On non-crat wikis, in theory, yes. On other wikis, we can't remove permissions, so it'd be an informative campaign. Martin Urbanec (talk) 15:38, 15 February 2023 (UTC)
- I question the problem statement that initiates this request. Administrators and editors are not amongst those who have mandatory 2FA requirements, most of those who have that requirement were verified to have 2FA enabled at the time of their accession to the positions that have mandatory 2FA. There is a limited number of individuals involved, and it should be an easy activity to ensure that they maintain 2FA through periodic scripted verification that has nothing to do with anything else in this proposal. It should be noted that the limitations of the current 2FA software are very well known, and have been for years; it was never designed or intended for broad community use, but instead was designed for use by those who have very close contact with the few individuals who can reset 2FA if the user has a problem (i.e., highest level developers, WMF staff, stewards, and a few others with a long history within the community). If the desire is to improve usage of 2FA amongst those outside of this very limited group, then the software needs a major redesign as well as dedicated ongoing multilingual support by paid employees, not just a minor tweak. There have been extremely few account hijackings over the last 20 years, and to my knowledge they have all been related to poor password hygiene on the part of the account holder. It would be more cost-effective, and considerably less work, to require a password change as a condition of granting advanced permissions. Note that I fully support the proper redesign of 2FA, but right now the current 2FA is massively below the industry standard and I do not think we should be further promoting it until it is brought up to something at least close to industry standard. Risker (talk) 03:56, 21 February 2023 (UTC)
Voting
- Support Rakib (talk) 21:48, 23 February 2023 (UTC)
- Support HouseBlaster (talk) 20:31, 10 February 2023 (UTC)
- Support As pointed out by HouseBlaster, the user groups that will be affected by this proposal are already required to use 2FA. This is just making it a technical requirement. Firestar464 (talk) 20:31, 10 February 2023 (UTC)
- Support BluePenguin18 🐧 ( 💬 ) 22:17, 10 February 2023 (UTC)
- Oppose I don't see how this is any different from the status quo. --SHB2000 (talk | contribs) 22:26, 10 February 2023 (UTC)
- Support XtexChooser (talk) 01:51, 11 February 2023 (UTC)
- Support Lalalalala7 (talk) 02:09, 11 February 2023 (UTC)
- Support LD (talk) 02:31, 11 February 2023 (UTC)
- Support Hehua (talk) 02:45, 11 February 2023 (UTC)
- Support Arado Ar 196 (talk) 07:56, 11 February 2023 (UTC)
- Support Szymonel (talk) 09:00, 11 February 2023 (UTC)
- Support Lemonaka (talk) 10:32, 11 February 2023 (UTC)
- Support OtherPrivacyGuy (talk) 10:45, 11 February 2023 (UTC)
- Support OwenBlacker (Talk) 14:07, 11 February 2023 (UTC)
- Support This is extremely useful that this is enforced by technical means. Thingofme (talk) 14:46, 11 February 2023 (UTC)
- Oppose Ain't broke. --Radio-Somewhere (talk) 16:44, 11 February 2023 (UTC)
- Support Realmartcraft (talk) 17:04, 11 February 2023 (UTC)
- Support Vukky (talk) 17:56, 11 February 2023 (UTC)
- Support Novak Watchmen (talk) 18:53, 11 February 2023 (UTC)
- Support Izno (talk) 07:05, 13 February 2023 (UTC)
- Support β16 - (talk) 10:34, 13 February 2023 (UTC)
- Support ドラみそ (talk) 02:58, 14 February 2023 (UTC)
- Support cyrfaw (talk) 11:36, 15 February 2023 (UTC)
- Support -- Al Riaz Uddin Ripon (talk) 17:27, 15 February 2023 (UTC)
- Support ~ Amory (u • t • c) 16:27, 17 February 2023 (UTC)
- Support Dankowski (talk) 22:53, 17 February 2023 (UTC)
- Support Johannnes89 (talk) 11:48, 18 February 2023 (UTC)
- Support Vulcan❯❯❯Sphere! 15:15, 18 February 2023 (UTC)
- Support Anonimo88 (talk) 16:45, 18 February 2023 (UTC)
- Support enforcing 2FA on accounts with advanced permissions is an essential security measure for any website at this scale. MarioGom (talk) 18:34, 18 February 2023 (UTC)
- Support This is a security problem, and therefore not something you can say "If it ain't broke, don't fix it" to. There is no point in requiring 2FA if you don't actually require 2FA, and this is a serious issue waiting to happen. Snowmanonahoe (talk) 19:15, 18 February 2023 (UTC)
- Support Niskka2 (talk) 21:56, 19 February 2023 (UTC)
- Support Hans5958 (talk) 02:48, 20 February 2023 (UTC)
- Neutral Honestly I'm not so sure about this, while I do think it's a good idea, don't get me wrong. I don't know if this is going to really change anything though, since these affected groups are expected to use 2FA anyways. Toad40 (talk) 13:07, 20 February 2023 (UTC)
- Support Stronger security on these accounts would absolutely be a good thing. — The Hand That Feeds You:Bite 15:14, 20 February 2023 (UTC)
- Support Imran Shorif Shuvo (talk) 23:26, 20 February 2023 (UTC)
- Support Ashiqur Rahman (talk) 17:35, 20 February 2023 (UTC)
- SupportMzz Tanmay (talk) 17:40, 20 February 2023 (UTC)
- Support Hasnat Abdullah (talk) 17:42, 20 February 2023 (UTC)
- Support Mahmud (talk) 17:56, 20 February 2023 (UTC)
- Support Shahidul Hasan Roman (talk) 19:43, 20 February 2023 (UTC)
- Support I support significant encouragement and providing plenty of reminders to users (I even wrote the corresponding help page in Hebrew), but still think it's worth rethinking whether an absolute requirement is worthwhile. —מקף⁻ණ (Hyphen) 23:03, 20 February 2023 (UTC)
- Oppose this proposal as written. Would support proper redesign and re-implementation of 2FA in keeping with industry standards. Frankly, most password keepers have better 2FA than is offered on MediaWiki, and I'd rather see people be encouraged to use that instead at this time. Risker (talk) 03:58, 21 February 2023 (UTC)
- Support -- BIDROHI Hello.. 11:27, 21 February 2023 (UTC)
- Support Krzysiek 123456789 (talk) 13:02, 21 February 2023 (UTC)
- Support DrowssapSMM (talk) 16:09, 21 February 2023 (UTC)
- Support — The preceding unsigned comment was added by Mahmudul Hasan (talk) 17:23, 21 February 2023 (UTC)
- Support Gustamons (talk) 17:51, 21 February 2023 (UTC)
- Support — SHEIKH (Talk) 20:23, 21 February 2023 (UTC)
- Oppose Wikipedia isn’t a nuclear power plant. --Morten Haan (talk) 18:10, 22 February 2023 (UTC)
- I would argue it is. It's one of the most visited websites on the internet. At least on enwiki, admins have the capability to do break the site in ways that take a while to fix, and this has even happened before (although due to an accident rather than a security breach). Accounts like those of stewards could run malicious code on the computers of tens of thousands if not hundreds of thousands of users across the globe, and probably worse. Snowmanonahoe (talk) 13:11, 23 February 2023 (UTC)
- Support Fcastillo (talk) 22:01, 22 February 2023 (UTC)
- Support Ce.Rakib.Hasan (talk) 16:47, 23 February 2023 (UTC)
- Support — Masum Ibn Musa Conversation 18:20, 23 February 2023 (UTC)
- Support ~~~~
User:1234qwer1234qwer4 (talk) 17:21, 24 February 2023 (UTC)