Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-14 Thread
noticeboard#Two-Factor_Authentication_now_available_for_admins >> > >> > >> > Von: Wikimedia-l <wikimedia-l-boun...@lists.wikimedia.org> im Auftrag >> von >> > Amir Ladsgroup <ladsgr...@gmail.com> >> > Ges

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-13 Thread
Task https://phabricator.wikimedia.org/T150605 I have raised the above task for the WMF to publish an appropriate summary of the behind the scenes analysis of the recent hack of accounts and the claimed copying of the English Wikipedia database (presumably user account tables). The request

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread MZMcBride
Fæ wrote: >Do any of the volunteers contributing to this list have ideas for >changes that may make a significant difference to security? When you log in, you're given a user session. This session, along with local Web browser HTTP cookies, allows you to stay logged in and authenticated as you

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Dariusz Jemielniak
+1 to what Craig wrote: two-factor authentication, with a key stored in an authenticator application (which eliminates the problem of revealing the phone number), would definitely be a great thing - and we could make it opt-in, except for higher level functionaries. best, dariusz On Sat, Nov

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Yongmin Hong
I believe you can find some 2FA application that isn't affiliated with Google (actually Google Authenticatir app doesn't require Google account to be linked. Tested on iOS and Android.) Also, some desktop application (ie. 1password*) is 2FA compatible. * Not Free/Open Source Software. --

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Vi to
Actually I consider to be sensitive the google account linked to my mobile phone :| also lots of people might have no compatible devices. Vito 2016-11-12 15:30 GMT+01:00 Amir Ladsgroup : > There is no need to store phone number at all. > You need to install an app called

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Amir Ladsgroup
There is no need to store phone number at all. You need to install an app called "Google Authenticator" or similar ones. Then you scan a QR code from a special page in Wikipedia. Then every time you want to login, you need to give username, password and a short-lived token the app gives you. See

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Vi to
My phone number is something I consider highly sensitive. Linking this kind of data to my online identity would be an unacceptable risk for me. Vito 2016-11-12 13:37 GMT+01:00 Amir Ladsgroup : > As far as I know 2FA is already implemented and mandatory for WMF staff >

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Amir Ladsgroup
As far as I know 2FA is already implemented and mandatory for WMF staff accounts and wikitech accounts. https://phabricator.wikimedia.org/T107605 I emphasized on having 2fa for CUs, oversights and others with private data access: https://phabricator.wikimedia.org/T107605#2570342 Not sure what's

Re: [Wikimedia-l] How should security of Wikimedia accounts be better?

2016-11-12 Thread Craig Franklin
I know it's been said many times, but two-factor authentication, mandatory for accounts with advanced privileges and optionally available for everyone else, would seem to be a logical step. It's not foolproof, but it would go a long way to making us less of a soft target. Cheers, Craig On 12