Jump to content

Help talk:Two-factor authentication

From Wikitech
Latest comment: 6 years ago by Tobias Gritschacher in topic Server-Error when trying to enable 2FA

Multiple devices

(I'm checking this help page again since it seems 2FA might have suddenly become mandatory.) I've not enabled two-factor auth so far because I don't want to tie my authentication to any single specific device, and especially not my phone (which is the device I trust the least; I don't use it for anything serious). Other services explicitly say things like «The authentication key (seed) that we give you can be used for multiple devices simultaneously». If it is the case here too, I would like to be reassured before I embark upon this. Nemo 14:29, 18 February 2017 (UTC)Reply

There is nothing on the server side that can tell what device the token was generated by, so yes you can copy the same seed into multiple TOTP clients. --BryanDavis (talk) 16:11, 18 February 2017 (UTC)Reply
Alright. This may feel obvious but it's not to the users, so it's worth saying explicitly in the help page. Nemo 00:15, 19 February 2017 (UTC) P.s.: I see that the seed is often stored unencrypted by clients. This means it's less safe than my password. :)Reply
The announce of Horizon generally was given on labs-announce on 2016-03-23. Horizon has had mandatory 2FA protection since it was initially deployed. Before Horizon, 2FA was suggested for all project administrators, but that was not enforced. It was easier to make it mandatory when adding support for our 2FA to the upstream project, and the change was endorsed by the Wikimedia Security team at the time. Horizon use is not required to use Labs broadly, but it is required for project administrators to allow creating and managing OpenStack instances. --BryanDavis (talk) 16:56, 18 February 2017 (UTC)Reply
I remember reading that one; the general tone was like "please help test this beta thingy". Moreover, it links Help:Horizon FAQ which for instance includes a paragraph "These actions may remain on Wikitech" which seems outdated to me. Some things appear to have started enforcing new requirements just in the last few days.
A follow-up announcement on the things which now actually require Horizon, and an explicit note that this means two-factor auth is required for those things, is in order. It's annoying to discover such things at the very last minute when you're trying to get something done; let's not frustrate our users unnecessarily. Nemo 00:15, 19 February 2017 (UTC)Reply

Resetting scratch codes

Is the only way to reset scratch codes disabling then re-enabling 2FA? Sam Wilson 08:40, 13 May 2018 (UTC)Reply

@Sam, Yes. Quiddity (talk) 17:26, 13 May 2018 (UTC)Reply
@Quiddity: Thanks. I've added a note to the page. Sam Wilson 23:40, 13 May 2018 (UTC)Reply

Server-Error when trying to enable 2FA

My authenticator device changed, so I disabled 2FA in the wikitech preferences to enable it again for the new device. But when trying to enable it again - after entering the new 2FA code for confirmation and hitting the submit-button - I'm getting a Server-Error: PHP fatal error: Argument 1 passed to Monolog\Processor\WebProcessor::__invoke() must be an instance of array, null given Can someone have a look what's wrong there? tgritschacher (talk) 15:16, 28 November 2018 (UTC)Reply

I tried again today and it worked! Issue resolved. tgritschacher (talk) 09:03, 29 November 2018 (UTC)Reply