Help talk:Two-factor authentication/Archive 1

This is an archive of past discussions about Help:Two-factor authentication. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

1. If I set this up using a smartphone, do I need to use the phone every time I log in?
2. If so, does it have to be the same phone?
3. If I opt in to this, and decide it's too much hassle, can I opt out again?

I should point out that I use a very strong password, unique to WP, but in the light of further hacking today I'm willing to consider further security. Optimist on the run (talk) 22:38, 16 November 2016 (UTC)

Optimist on the run answers below. — xaosflux ^Talk 22:48, 16 November 2016 (UTC)

1. You have to use it anytime you are currently prompted for a password, you will also need the code. If you "remember me" on a computer and don't need a password each time, you won't need this each time - unless you do something like try to change your email or password.
2. You can register MULTIPLE phones - they will all produce the same code.
3. You can unenroll whenever you want right now.

— xaosflux ^Talk 22:48, 16 November 2016 (UTC)

Can we please not encourage use of Google Authenticator? First, there are better authenticators available, mainly with features like syncing or backup. (Who wants to deal with the hell when users update their phones and Google Authenticator no longer opens or cannot import the content?) Second, don't we support free and open solutions? For iOS there is an app made by Fedora people. I'd even put Authy before GA for its functionality. I used GA for a while because it helped popularize the use of 2FA but enlightened upon deciding to search for alternatives that many others are head of the curve. If GA needs to be listed, let's suggest it third.  czar 17:06, 16 November 2016 (UTC)

I wrote about Google Authenticator because it's the only thing I tried and hence all I know how to write up. If you know how to make this work with another device, add it to the document. I share Linus Torvalds' view on open-source solutions, which is use them if they work for you, and don't use them if they don't. As the ha-ha-only-serious page Wikipedia:WikiSpeak says, "Ogg Vorbis : An audio file format. It is not supported by most commonly used audio software and is unheard of by anyone other than extreme free software nerds, and therefore has been adopted as the standard audio format for Wikipedia." Couldn't have put it better myself :-) PS: around here, "GA" means Good Article, watch your acronyms! Ritchie333 ^{(talk) (cont)} 17:13, 16 November 2016 (UTC)

2FA secrets should never be backed up: that defeats the idea of 2FA, which is that being able to generate a valid code proves you have physical possession of the phone. Instead of backing up the app contents, you should save an offline copy of the recovery codes shown at enrollment time. Those let you turn off 2FA by entering a recovery code. 50.0.136.56 (talk) 06:50, 18 November 2016 (UTC)

Seems to me that this would be a good idea to have a userbox for. I've never created one before, but I took a stab at making it, anyway. So, here's an initial attempt. If everyone hates the idea, it can die here. Jauerback^dude?/_dude. 13:04, 17 November 2016 (UTC)

@Jauerback: Noooooooooooo, I created {{User 2FA}} a little while back - yours looks nicer though, feel free to replace the code (though please keep the category) -- samtar ^{talk or stalk} 13:10, 17 November 2016 (UTC)

No that's ok, yours is fine. I didn't realize one already existed. Jauerback^dude?/_dude. 13:33, 17 November 2016 (UTC)

I don't see an obvious practical exploit, but this box seems to give away info to attackers unnecessarily. They should not be able to tell whether someone has 2FA enabled or not. I'd also get rid of the category. 50.0.136.56 (talk) 06:57, 18 November 2016 (UTC)

@.56: This crossed my mind - however there is no real advantage gained for the attacker from knowing if an account was using 2FA, other than to perhaps exclude them from brute force attacks or if an exploit with the 2FA system is found -- samtar ^{talk or stalk} 08:13, 18 November 2016 (UTC)

I agree with '56, I wouldn't put this userbox on my page per WP:BEANS. Ritchie333 ^{(talk) (cont)} 12:41, 18 November 2016 (UTC)

Valid point, but I would assume most hackers would go for an account with less security. Then again, BEANS does exist for a reason. Jauerback^dude?/_dude. 15:29, 18 November 2016 (UTC)

I still feel the same way as before (of course it's even more important to avoid identifying accounts that don't use 2FA) but I changed the userbox contents to Jauerback's version, per Samtar's comment that it looks nicer (I also think it looks nicer). 50.0.136.56 (talk) 00:49, 19 November 2016 (UTC)

This page should be converted from WP:ESSAY to a help page. 50.0.136.56 (talk) 07:07, 18 November 2016 (UTC)

I would hope that's the long-term aim, but I wanted to wait until the page was a bit more mature first, with examples supplied by several editors. I'd quite like it to eventually usurp the "official" WP:2FA page, which is a soft redirect at the moment. Ritchie333 ^{(talk) (cont)} 12:40, 18 November 2016 (UTC)

Sounds good. The page should hopefully become pretty foolproof by the time 2FA is made available to all accounts. A lot of people will want to refer to the page then. 50.0.136.56 (talk) 00:51, 19 November 2016 (UTC)

Can we ask for some outside review of this page from non-technical editors? We contributors are all too caught up in it to have good judgment about whether it serves its purpose as well as it could. I thought of a few people to ping but maybe it can be done more formally. The review request shouldn't be to "sell" 2FA, but just to get opinions on whether the page is readable and not too long-winded. It can include non-admins even though only admins can currently activate 2FA. Thoughts are welcome. 50.0.136.56 (talk) 00:42, 19 November 2016 (UTC)

User:Bishonen, can you take a look at the page and post any comments here? I'm not asking you to activate 2FA (that's entirely up to you) but just to let us know if the page makes it comprehensible or what improvements it needs. I thought of you because I remember your post in the AN thread about the topic being unclear. Maybe this makes it better--let us know. Thanks. 50.0.136.56 (talk) 05:36, 20 November 2016 (UTC)

User:Bishonen - repeating ping attempt since the one above might have failed from a typo I made. 50.0.136.56 (talk) 05:37, 20 November 2016 (UTC)

Oh, you don't have to explain why you chose me as a good example of a non-technical editor! :-) (You're quite right about that, though I can do a few unexpected things, such as block IPv6 ranges.) Thanks for asking. I have two questions:

1. The assumption that everybody has and uses a smartphone is worrying for me. I know it's incredible, but I don't use one; I can't get comfortable with them. The implication on the page seems to be that it will be a pest, every time, to use 2FA from a desktop computer. Is that right?

A: You have to use 2FA any time you currently have currently enter your password. So if you use a desktop and normally "keep me logged in" you don't have to use it each time from that computer. — xaosflux ^Talk 06:00, 20 November 2016 (UTC)

Ahh... yes, Xaosflux... I essentially do use "keep me logged in", but (blushes) I still log in and out quite a bit. Compare [1]. Bishonen | talk 06:17, 20 November 2016 (UTC).

A possible ease of use for your use case would be to use multiple browser, or private browsing sessions for your alt accounts. On my normal desktop, I use one browser for most of my use, but if I need to log in as a test user or say my bot account, I use a private browsing session or another browser - that way I can stay logged in. Not "flawless" but it could help you. — xaosflux ^Talk 16:13, 20 November 2016 (UTC)

2. Do I need 2FA, if I have a strong password which I don't use anywhere else, and nobody outside my highly reliable family gets near my computer? I heard on the grapevine that those admin accounts were able to be hacked because they used the same password somewhere else (a mailing list?). Is that true? Bishonen | talk 05:54, 20 November 2016 (UTC).

Thanks for the comments and no worries about the smartphone, I don't use one either. Re your questions:

1) Using 2FA on a desktop shouldn't be much different than using it on a phone. You launch the program and then there's a window showing a 6 digit number that changes once a minute, that you enter along with your password. I haven't used the Windows program mentioned but you might even be able to make the window real small and leave it on your screen, or put it in one of the taskbar indicators like the date/time display, so you don't even have to click anything to use it.

2) I think you are reasonably safe with what you describe. What seems to have happened is various people used the same username/password on Wikipedia and some site XYZ, then XYZ got compromised and all of its usernames and passwords spilled, and then the attacker tried the XYZ usernames/passwords on Wikipedia and a lot of them worked (or they might have inferred usernames from email addresses, or whatever). I don't know what XYZ was, but that's a common attack that has happened to many sites (I remember some Adobe.com site spilling millions of passwords a few years ago). I just generate random distinct passwords for everything and store them in the browser password vault, so I don't actually know any of my own passwords.

We should improve the documentation about the Windows desktop token, and add them for Mac and Linux. 50.0.136.56 (talk) 06:16, 20 November 2016 (UTC)

OK, thanks. What's that "browser password vault"? I want one! Bishonen | talk 06:20, 20 November 2016 (UTC).

It's just a feature in browsers where the browser offers to remember different passwords for you, and it can encrypt the collection under a master password that you enter when you launch the browser (so that's just one password to remember). In Firefox you can turn it on by going to Preferences -> Security and checking "Remember logins for sites". There's something similar in Chrome but I don't know how to operate it. 50.0.136.56 (talk) 06:24, 20 November 2016 (UTC)

I'll be away for a few days but others here or on WP:RDC should be able to handle further questions/issues. Bye for now. 50.0.136.56 (talk) 07:00, 20 November 2016 (UTC)

"We should improve the documentation about the Windows desktop token, and add them for Mac and Linux." Couldn't agree more, and the only reason I personally haven't done it is because I haven't tried it, and as I seem to be a bit of an Apple fanboy, I don't use Windows software unless forced to at gunpoint (or just use Wine). However, if nobody else is prepared to improve the non-smartphone documentation, I guess muggins here will give it a go. Ritchie333 ^{(talk) (cont)} 14:06, 21 November 2016 (UTC)

Good ol' muggins - tell you what, I'll work on the Windows aspect and let you deal with the widely loved Apple product. Linux is going to be nice and easy, because I'm sure there's hundreds of TOTP clients and it's safe to assume Linux users are at least somewhat technical -- samtar ^{talk or stalk} 14:31, 21 November 2016 (UTC)