This document offers guidance when a Wikimedia user loses access to their account and can't login.
Wikimedia SUL account
A user can't login if two conditions are met:
- they have a blank or incorrect email address;
- they have forgotten their password.
In such case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester e-mail address can legitimately linked with user.
Ensure the request is legitimate
Make sure the request is legit. This part is covered at Password reset/Confirming identities.
Especially, someone from Trust & Safety (for example James Alexander) should be notified of the password reset. It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity.
Technical procedure to follow
- On a deployment host (such as Terbium), run
mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
- In your browser, go to Special:PasswordReset on the user's main wiki.
- Type in the user's name, left the e-mail address blank and click "Reset password".
- Ask requester to check their inbox to ensure that the password reset email was received.
- Home wiki shouldn't matter much
- MediaWiki usernames could contain UTF-8 characters. If you've some difficulties to use them on the terminal, you can use instead the user id prefixed with #.
|Old instructions in case something goes wrong|
|The following content has been placed in a collapsed box for improved usability.|
On CentralAuth wikis, the eval.php script has the effect of updating the globaluser table (gu_email and gu_email_authenticated) and then clearing the relevant memcached key.
|The above content has been placed in a collapsed box for improved usability.|
Reset two factor authentication
Be careful! This is process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:
- If you recognize them, have a face-to-face or in a video chat.
- If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
- Have the user write a request to disable 2fa in their home directory on a Labs or Tools bastion.
A maintenance script works both for wikitech 2FA and SUL 2FA:
For wikitech 2FA, run the following on the wikitech host (silver):
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki <username>
For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on terbium using that wiki:
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>
The user can then log in using just their password and re-add two factor authentication.