Community Wishlist Survey 2023/Miscellaneous/Fix security key (WebAuthn) support

Random proposal ►◄ Miscellaneous The survey has concluded. Here are the results!

Fix security key (WebAuthn) support

Problem: MediaWiki's support for security keys (for example YubiKeys) via WebAuthn for two-factor authentication is, well, not very good. There are two main issues:
- Security keys are tied to a single wiki. Combined with the broken cross-wiki auto-login mechanism this makes it annoying to log in.
- It is only possible to add a single key to an account. Best practices for using security keys include having several keys with access in case a single key is damaged or lost.
Proposed solution: Fix the bugs mentioned above.
Who would benefit: Users who want to secure their user accounts.
More comments:
Phabricator tickets: phab:T244088, phab:T242031
Proposer: Taavi (talk!) 11:20, 30 January 2023 (UTC)[reply]

Discussion

There is also no option to setup recovery codes, as those only work icw OathAuth. —TheDJ (talk • contribs) 11:58, 30 January 2023 (UTC)[reply]
There is T303495 which I assume would fix that. Tgr (talk) 03:31, 5 February 2023 (UTC)[reply]

Voting

Support * Pppery * _{it has begun} 03:52, 11 February 2023 (UTC)[reply]
Support Arado Ar 196 (talk) 08:40, 11 February 2023 (UTC)[reply]
Support I've used MediaWiki's WebAuthn support on and off for quite a while now and both those problems are ultimately huge issues preventing security key support from being the same positive experience I'm used to on other websites. Timawesomeness (talk) 11:25, 11 February 2023 (UTC)[reply]
Support Guerillero ^{Parlez Moi} 13:59, 11 February 2023 (UTC)[reply]
Support Cepice (talk) 14:23, 11 February 2023 (UTC)[reply]
Support CROIX (talk) 15:23, 11 February 2023 (UTC)[reply]
Support Novak Watchmen (talk) 17:33, 11 February 2023 (UTC)[reply]
Strong support I have recently acquired a hardware security key and set it as an authentication device in several of my online accounts, but couldn't do it for my Wikimedia account as that requires me to replace my existing TOTP setup (which I'd rather keep, since I may happen to not have my hardware key with me.) --Waldyrious (talk) 22:28, 11 February 2023 (UTC)[reply]
Support Thomas Kinz (talk) 22:38, 11 February 2023 (UTC)[reply]
Support This should be done to increase security and reduce vulnerability to hackers. Thingofme (talk) 03:02, 12 February 2023 (UTC)[reply]
Support MASUM THE GREAT (talk) 05:39, 12 February 2023 (UTC)[reply]
Support Rooiratel (talk) 09:32, 12 February 2023 (UTC)[reply]
Support Izno (talk) 07:43, 13 February 2023 (UTC)[reply]
Support as I want to get a security key at some point QuickQuokka ^{[⁠talk • contribs]} 19:35, 14 February 2023 (UTC)[reply]
Support cyrfaw (talk) 12:26, 16 February 2023 (UTC)[reply]
Support 3mi1y (talk) 09:13, 18 February 2023 (UTC)[reply]
Support This is, very plainly, a security defect in its current form. — Red-tailed hawk _(nest) 05:51, 20 February 2023 (UTC)[reply]
Support Amir (talk) 08:19, 20 February 2023 (UTC)[reply]
Support —TheDJ (talk • contribs) 10:57, 20 February 2023 (UTC)[reply]
Support Dr vulpes (talk) 06:18, 21 February 2023 (UTC)[reply]
Support Snowmanonahoe (talk) 13:13, 23 February 2023 (UTC)[reply]