Hi Petr, Thank you for thinking about improvements to 2FA, the lack of session persistence makes me want to buy a paper encyclopedia.
Another issue to add to your list is that a lost 2FA device (plus lost scratch codes) requires admin help or someone with DB access, because the self-serve option asks for a 2FA code in order to disable. Most industry implementations allow a 2FA reset via primary email account as well as scratch codes. There are many bugs about this, and I can't tell if the design is a feature or bug. Here's an interesting suggestion for how to fix: https://phabricator.wikimedia.org/T180896 Regards, Adam On Sun, Aug 12, 2018 at 9:48 AM Petr Bena <[email protected]> wrote: > Oh and I totally forgot to include link to phab task: > https://phabricator.wikimedia.org/T201784 > > On Sun, Aug 12, 2018 at 6:47 PM, Petr Bena <[email protected]> wrote: > > Hello, > > > > I would like to do some major changes to two factor auth. I am cross > > posting this on phabricator and the mailing list to give it some more > > attention and to start some proper discussion before anyone starts > > working on this: > > > > Right now there are only two options for two factor authentication: > > > > * Don't use two-factor authentication (insecure) > > * Use two factor authentication (annoying as hell) > > > > With two factor authentication it doesn't seem to be possible to make > > session persistent and it really is extremely annoying to look for > > your mobile phone, open the app and fill in the code everytime you > > want to do some simple wiki action. I am very lazy and even found > > myself to rather decide not to do a minor change (be it fix of typo > > correction etc. in article on English Wikipedia etc) rather than going > > through the hassle of using the google authenticator. > > > > I think it would be really cool to have an option (or maybe even more > > of them?) that would help to specify when two factor auth is really > > desired, so that for example users could decide that for simple > > actions like wiki editing normal login would be sufficient, but for > > changes like: > > > > * Change of password > > * Change of (some) preferences > > * Admin actions (block, delete etc.) > > > > P.S. Unfortunately I no longer have so much free time to track every > > single thread in this mailing list, so maybe this is a duplicate of > > some older idea by someone else, if that's the case, please merge the > > phab task with whatever the other identical proposal is. > > > > Thank you > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
