Help talk:Two-factor authentication/Archive 1

This is an archive of past discussions about Help:Two-factor authentication. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

1. If I set this up using a smartphone, do I need to use the phone every time I log in?
2. If so, does it have to be the same phone?
3. If I opt in to this, and decide it's too much hassle, can I opt out again?

I should point out that I use a very strong password, unique to WP, but in the light of further hacking today I'm willing to consider further security. Optimist on the run (talk) 22:38, 16 November 2016 (UTC)

Optimist on the run answers below. — xaosflux ^Talk 22:48, 16 November 2016 (UTC)

1. You have to use it anytime you are currently prompted for a password, you will also need the code. If you "remember me" on a computer and don't need a password each time, you won't need this each time - unless you do something like try to change your email or password.
2. You can register MULTIPLE phones - they will all produce the same code.
3. You can unenroll whenever you want right now.

— xaosflux ^Talk 22:48, 16 November 2016 (UTC)

Can we please not encourage use of Google Authenticator? First, there are better authenticators available, mainly with features like syncing or backup. (Who wants to deal with the hell when users update their phones and Google Authenticator no longer opens or cannot import the content?) Second, don't we support free and open solutions? For iOS there is an app made by Fedora people. I'd even put Authy before GA for its functionality. I used GA for a while because it helped popularize the use of 2FA but enlightened upon deciding to search for alternatives that many others are head of the curve. If GA needs to be listed, let's suggest it third.  czar 17:06, 16 November 2016 (UTC)

I wrote about Google Authenticator because it's the only thing I tried and hence all I know how to write up. If you know how to make this work with another device, add it to the document. I share Linus Torvalds' view on open-source solutions, which is use them if they work for you, and don't use them if they don't. As the ha-ha-only-serious page Wikipedia:WikiSpeak says, "Ogg Vorbis : An audio file format. It is not supported by most commonly used audio software and is unheard of by anyone other than extreme free software nerds, and therefore has been adopted as the standard audio format for Wikipedia." Couldn't have put it better myself :-) PS: around here, "GA" means Good Article, watch your acronyms! Ritchie333 ^{(talk) (cont)} 17:13, 16 November 2016 (UTC)

2FA secrets should never be backed up: that defeats the idea of 2FA, which is that being able to generate a valid code proves you have physical possession of the phone. Instead of backing up the app contents, you should save an offline copy of the recovery codes shown at enrollment time. Those let you turn off 2FA by entering a recovery code. 50.0.136.56 (talk) 06:50, 18 November 2016 (UTC)

Seems to me that this would be a good idea to have a userbox for. I've never created one before, but I took a stab at making it, anyway. So, here's an initial attempt. If everyone hates the idea, it can die here. Jauerback^dude?/_dude. 13:04, 17 November 2016 (UTC)

@Jauerback: Noooooooooooo, I created {{User 2FA}} a little while back - yours looks nicer though, feel free to replace the code (though please keep the category) -- samtar ^{talk or stalk} 13:10, 17 November 2016 (UTC)

No that's ok, yours is fine. I didn't realize one already existed. Jauerback^dude?/_dude. 13:33, 17 November 2016 (UTC)

I don't see an obvious practical exploit, but this box seems to give away info to attackers unnecessarily. They should not be able to tell whether someone has 2FA enabled or not. I'd also get rid of the category. 50.0.136.56 (talk) 06:57, 18 November 2016 (UTC)

@.56: This crossed my mind - however there is no real advantage gained for the attacker from knowing if an account was using 2FA, other than to perhaps exclude them from brute force attacks or if an exploit with the 2FA system is found -- samtar ^{talk or stalk} 08:13, 18 November 2016 (UTC)

I agree with '56, I wouldn't put this userbox on my page per WP:BEANS. Ritchie333 ^{(talk) (cont)} 12:41, 18 November 2016 (UTC)

Valid point, but I would assume most hackers would go for an account with less security. Then again, BEANS does exist for a reason. Jauerback^dude?/_dude. 15:29, 18 November 2016 (UTC)

I still feel the same way as before (of course it's even more important to avoid identifying accounts that don't use 2FA) but I changed the userbox contents to Jauerback's version, per Samtar's comment that it looks nicer (I also think it looks nicer). 50.0.136.56 (talk) 00:49, 19 November 2016 (UTC)

This page should be converted from WP:ESSAY to a help page. 50.0.136.56 (talk) 07:07, 18 November 2016 (UTC)

I would hope that's the long-term aim, but I wanted to wait until the page was a bit more mature first, with examples supplied by several editors. I'd quite like it to eventually usurp the "official" WP:2FA page, which is a soft redirect at the moment. Ritchie333 ^{(talk) (cont)} 12:40, 18 November 2016 (UTC)

Sounds good. The page should hopefully become pretty foolproof by the time 2FA is made available to all accounts. A lot of people will want to refer to the page then. 50.0.136.56 (talk) 00:51, 19 November 2016 (UTC)

Can we ask for some outside review of this page from non-technical editors? We contributors are all too caught up in it to have good judgment about whether it serves its purpose as well as it could. I thought of a few people to ping but maybe it can be done more formally. The review request shouldn't be to "sell" 2FA, but just to get opinions on whether the page is readable and not too long-winded. It can include non-admins even though only admins can currently activate 2FA. Thoughts are welcome. 50.0.136.56 (talk) 00:42, 19 November 2016 (UTC)

User:Bishonen, can you take a look at the page and post any comments here? I'm not asking you to activate 2FA (that's entirely up to you) but just to let us know if the page makes it comprehensible or what improvements it needs. I thought of you because I remember your post in the AN thread about the topic being unclear. Maybe this makes it better--let us know. Thanks. 50.0.136.56 (talk) 05:36, 20 November 2016 (UTC)

User:Bishonen - repeating ping attempt since the one above might have failed from a typo I made. 50.0.136.56 (talk) 05:37, 20 November 2016 (UTC)

Oh, you don't have to explain why you chose me as a good example of a non-technical editor! :-) (You're quite right about that, though I can do a few unexpected things, such as block IPv6 ranges.) Thanks for asking. I have two questions:

1. The assumption that everybody has and uses a smartphone is worrying for me. I know it's incredible, but I don't use one; I can't get comfortable with them. The implication on the page seems to be that it will be a pest, every time, to use 2FA from a desktop computer. Is that right?

A: You have to use 2FA any time you currently have currently enter your password. So if you use a desktop and normally "keep me logged in" you don't have to use it each time from that computer. — xaosflux ^Talk 06:00, 20 November 2016 (UTC)

Ahh... yes, Xaosflux... I essentially do use "keep me logged in", but (blushes) I still log in and out quite a bit. Compare [1]. Bishonen | talk 06:17, 20 November 2016 (UTC).

A possible ease of use for your use case would be to use multiple browser, or private browsing sessions for your alt accounts. On my normal desktop, I use one browser for most of my use, but if I need to log in as a test user or say my bot account, I use a private browsing session or another browser - that way I can stay logged in. Not "flawless" but it could help you. — xaosflux ^Talk 16:13, 20 November 2016 (UTC)

2. Do I need 2FA, if I have a strong password which I don't use anywhere else, and nobody outside my highly reliable family gets near my computer? I heard on the grapevine that those admin accounts were able to be hacked because they used the same password somewhere else (a mailing list?). Is that true? Bishonen | talk 05:54, 20 November 2016 (UTC).

Thanks for the comments and no worries about the smartphone, I don't use one either. Re your questions:

1) Using 2FA on a desktop shouldn't be much different than using it on a phone. You launch the program and then there's a window showing a 6 digit number that changes once a minute, that you enter along with your password. I haven't used the Windows program mentioned but you might even be able to make the window real small and leave it on your screen, or put it in one of the taskbar indicators like the date/time display, so you don't even have to click anything to use it.

2) I think you are reasonably safe with what you describe. What seems to have happened is various people used the same username/password on Wikipedia and some site XYZ, then XYZ got compromised and all of its usernames and passwords spilled, and then the attacker tried the XYZ usernames/passwords on Wikipedia and a lot of them worked (or they might have inferred usernames from email addresses, or whatever). I don't know what XYZ was, but that's a common attack that has happened to many sites (I remember some Adobe.com site spilling millions of passwords a few years ago). I just generate random distinct passwords for everything and store them in the browser password vault, so I don't actually know any of my own passwords.

We should improve the documentation about the Windows desktop token, and add them for Mac and Linux. 50.0.136.56 (talk) 06:16, 20 November 2016 (UTC)

OK, thanks. What's that "browser password vault"? I want one! Bishonen | talk 06:20, 20 November 2016 (UTC).

It's just a feature in browsers where the browser offers to remember different passwords for you, and it can encrypt the collection under a master password that you enter when you launch the browser (so that's just one password to remember). In Firefox you can turn it on by going to Preferences -> Security and checking "Remember logins for sites". There's something similar in Chrome but I don't know how to operate it. 50.0.136.56 (talk) 06:24, 20 November 2016 (UTC)

I'll be away for a few days but others here or on WP:RDC should be able to handle further questions/issues. Bye for now. 50.0.136.56 (talk) 07:00, 20 November 2016 (UTC)

"We should improve the documentation about the Windows desktop token, and add them for Mac and Linux." Couldn't agree more, and the only reason I personally haven't done it is because I haven't tried it, and as I seem to be a bit of an Apple fanboy, I don't use Windows software unless forced to at gunpoint (or just use Wine). However, if nobody else is prepared to improve the non-smartphone documentation, I guess muggins here will give it a go. Ritchie333 ^{(talk) (cont)} 14:06, 21 November 2016 (UTC)

Good ol' muggins - tell you what, I'll work on the Windows aspect and let you deal with the widely loved Apple product. Linux is going to be nice and easy, because I'm sure there's hundreds of TOTP clients and it's safe to assume Linux users are at least somewhat technical -- samtar ^{talk or stalk} 14:31, 21 November 2016 (UTC)

• Page says However, because the key is time-based, it may change while you're doing this, in which case you'll have to add the latest key instead.

Could someone with 2FA test that and possibly update the doc? Log in with 2FA, wait for the code to flip over to a new one, and then enter the old code a few seconds later? Servers generally allow some leeway in the timing to deal with this situation, and also to handle slight timekeeping discrepancies between the server and the 2FA device. But I don't want to change the document unless it's been tested. 50.0.136.56 (talk) 07:15, 18 November 2016 (UTC)

Tested, and given my understanding of TOTP the old code should invalidate the moment a new code is generated. I imagine there is a slight leeway, though not enough for me to get in on an old code -- samtar ^{talk or stalk} 08:16, 18 November 2016 (UTC)

Can you confirm, you entered the old code a few seconds after the code flipped, and you couldn't log in? I'd report that as a bug. You should get a decent size window, maybe as much as half a minute (using a code from yesterday should of course fail). The hardware tokens in the picture are basically cheap digital watches with different packaging and firmware. So their clocks drift by as much as a few seconds per week. Server-side software is supposed to allow for that, partly by tracking the amount of drift for a given token. 50.0.136.56 (talk) 17:04, 18 November 2016 (UTC)

I've had a look now - the code on Google Authenticator is normally blue, but changes to red immediately before the key expires and changes. Ritchie333 ^{(talk) (cont)} 14:12, 21 November 2016 (UTC)

The technical answer is that at any moment, the current code, the four codes before and the four codes after will be accepted, unless they have been used before. This is to account for clock divergence between client and server as well as input errors and submitting right at the moment where the generator will rotate to the next key. Users shouldn't have to worry about that. —TheDJ (talk • contribs) 11:19, 22 November 2016 (UTC)