[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts
Making WordPress.org
noreply at wordpress.org
Thu Aug 15 02:20:17 UTC 2013
#77: Setup two-factor authentication for privileged WordPress accounts
------------------------+---------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: major | Component: General
Keywords: |
------------------------+---------------------
All WordPress accounts on the various community sites should be required
to pass multiple auth factors when logging in, if they could potentially
cause trouble in the event that they were hacked. The existing measures
are great, but 2FA would provide an extra layer of protection, without
placing an unreasonable burden on users.
'''Who?'''
Definitely Admins and Super Admins, but possibly also Editors. Maybe it
shouldn't be mandatory for admins on individual WordCamp.org sites, but it
should at least be an option.
The SSO adds a couple complicating factors here, though:
* If there are certain sites where it isn't mandatory, there'd have to be
a way to ensure that you couldn't just login to a single-factor site and
then browse over to a multi-factor site without passing the additional
factor.
* Similarly, it will also need to account for the fact that users have
different roles on different sites. So, someone whose a Subscriber on site
A and administrator on site B should be required to pass the second factor
when logging into site B, even if they're already logged in from site A.
'''How?'''
Google Authenticator and Duo Security are the first two that come to mind,
but there may be others that would fit well. Both have existing WP plugins
that could potentially be leveraged one way or another.
Another option might be to use WordPress.com Connect. That would mean
relying on an external service, though, and we'd need a way to enforce
that the targeted users have 2FA enabled on their account.
'''What else?'''
What other issues are there that need to be addressed?
--
Ticket URL: <http://meta.trac.wordpress.org/ticket/77>
Making WordPress.org <http://meta.trac.wordpress.org/>
WordPress blogging software
More information about the wp-meta
mailing list