Why do they keep opening their mouths? WHY?
A major problem with 2FA as presently implemented is that there is no mechanism in place for resetting 2FA in the event a user is locked out. At present the proces is to open a ticket on phabricator and try to convince a developer that the request is both legitimate and worthy of attention.
2FA lockouts can occur fairly easily and are common over a time horizon of years with a user base numbering in the thousands.
The main problem in dealing with reset requests is confirming the legitimacy of the request. While we do not have a policy at the present time, we should be able to create one combining elements of:
-The passage of time, so that the legitimate operator of an account has the opportunity to log in and reject the request
-Comparing the requestor's identity to previous public statements by the account.
-Comparison of the requestor's appearance to photos from meetups or other similar events
-Confirmation that the email address associated with the account is under the requestor's control
This is a process that requires judgment that is best performed by someone answerable to the ENWP community. I believe that the 'crats are in the best position to perform these tasks.
I believe the best process to achieve this would be to build consensus locally and then involve WMF trust and safety. I would imagine that we would be forwarding approved reset requests for 2FA reset to developers (perhaps via phabricator) until there is sufficient volume to warrant an automated interface.
I believe that having a well-defined, fair process for 2FA resets will speed the adoption of 2FA and improve security. Even if the exisitng 2FA system is replaced with something better, the need for a process for handling reset requests will be ongoing.
I'm starting here and if there is sufficient support can open an RfC or otherwise get this in front of a wider audience.
UninvitedCompany 22:06, 6 May 2019 (UTC)
Firstly, the fact it is incredibly hard to recover a 2FA protected account after you've done all the things you need to do get locked out of it, is not a bug, it is a FEATURE.
As people have already pointed out, you cannot even get into Phabricator without your account, and a local policy for a global system is idiotic. But on it goes, getting discussed like these people have a clue.
Consider this - if a standard password is like a door key, then getting locked out of a 2FA protected account is like losing your door key, and losing your spare key, and losing your spare spare key, and it happening after you were specifically instructed to keep your spare keys and secure. You have to be that kind of fuckwit. You have to be a Jehochman.
That scenario is very apt, because typically your only way out of that situation, is finding some way to prove you are the legitimate owner of the house. That is not a "problem", that is how it should work, reflecting the gravitas of the situation you put yourself in, by being such a moron.
But let's drop that analogy, because you know what? WIKIPEDIA ALREADY HAS A WAY DEVS CAN VERIFY YOU OWN THE ACCOUNT WITHOUT REVEALING ANY PERSONAL INFORMATION.
It's called committed identity. If you know you're going to enable 2FA and you're the sort of idiot who loses their house keys a lot, then you can have a backup to your backup. All it involves is you remembering a different passphrase, creating a hash from it and posting that somewhere a dev can find it. Give the dev your paraphrase and voila, he knows you were the one who posted the hash. Like a locksmith who accepts cash and asks no questions.
Probably not a good idea to write the passphrase down on a computer, but much like 2FA scratch codes, there is minimal risk to you writing it down and keeping it in a place you know is safe and secure. Keep it in a different place to your scratch codes, not because that is a necessary protection for the security system (an attacker having one is as bad for you as having both), but because it has already been established that you lose shit, easily, even stuff you were specifically told it was
important not to lose.
Shocked that creating a backup for your backup is this easy? You should not be. It has been a well known feature of enhanced Wikipedia account security, the sort of thing anyone who isn't a security risk, even someone who is just curious, would be aware of, because many users have their public key posted, well, publicly. Christ knows what Bishonen thinks they are. Pretty patterns? Secret codes for passing snide messages between little users?
It is perhaps understandable that the help page for 2FA doesn't mention this backup to your backup, because it is an extra thing to remember and really is a bit like having three spare keys for your house, which might make you feel secure, but won't really convince anyone that you should really be trusted with a house at all. But it is mentioned in the "User account security" page, which is linked from there.