As far as I know 2FA is already implemented and mandatory for WMF staff accounts and wikitech accounts. https://phabricator.wikimedia.org/T107605
I emphasized on having 2fa for CUs, oversights and others with private data access: https://phabricator.wikimedia.org/T107605#2570342 Not sure what's blocking this. Best On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin <cfrank...@halonetwork.net> wrote: > I know it's been said many times, but two-factor authentication, mandatory > for accounts with advanced privileges and optionally available for everyone > else, would seem to be a logical step. It's not foolproof, but it would go > a long way to making us less of a soft target. > > Cheers, > Craig > > On 12 November 2016 at 22:22, Fæ <fae...@gmail.com> wrote: > > > Do any of the volunteers contributing to this list have ideas for > > changes that may make a significant difference to security? > > > > Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the > > process appearing to promote an organisation.[1] It was not the only > > account compromised. This is being analysed, though as there are > > security issues being examined, the analysis has not been made public > > so far; plus it's the weekend :-) > > > > Over the last few years, there have improvements on account set-up and > > choice of passwords, along with user suggestions for better account > > management. Users can also chose to use committed identities[2] to > > make account recovery easier, and are encouraged to use more secure > > passwords. Two-factor authentication,[3] such as using mobile phone > > text messages, has been suggested a few times by volunteers, and this > > might be a good moment to encourage the WMF to have better facilities > > built into the projects. We could even make two-factor identification > > a requirement for trusted users, such as administrators, important > > bots, and "high profile" accounts, where they may have special rights > > that could cause a fair amount of disruption if a hacked account were > > not identified quickly. Considering that some administrator accounts > > can lie dormant for many months without the actual user monitoring it, > > these could end up being far more disruptive than well-watched > > accounts like Jimmy's. > > > > We may want extra security to remain mostly optional, keeping our > > projects simple to access. Education of new volunteers and trusted > > users may be critical for making it effective, such as avoiding social > > hacking. A clearer understanding of what the community would want to > > see improved would probably help set development priorities. > > > > Links > > 1. https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised > > 2. https://en.wikipedia.org/wiki/Template:Committed_identity > > 3. https://en.wikipedia.org/wiki/Multi-factor_authentication > > > > Thanks, > > Fae > > -- > > fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae > > > > _______________________________________________ > > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > > wiki/Mailing_lists/Guidelines > > New messages to: Wikimedia-l@lists.wikimedia.org > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
