[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts

Making WordPress.org noreply at wordpress.org
Thu Aug 15 02:20:17 UTC 2013


#77: Setup two-factor authentication for privileged WordPress accounts
------------------------+---------------------
Reporter:  iandunn      |      Owner:
    Type:  enhancement  |     Status:  new
Priority:  major        |  Component:  General
Keywords:               |
------------------------+---------------------
 All WordPress accounts on the various community sites should be required
 to pass multiple auth factors when logging in, if they could potentially
 cause trouble in the event that they were hacked. The existing measures
 are great, but 2FA would provide an extra layer of protection, without
 placing an unreasonable burden on users.

 '''Who?'''
 Definitely Admins and Super Admins, but possibly also Editors. Maybe it
 shouldn't be mandatory for admins on individual WordCamp.org sites, but it
 should at least be an option.

 The SSO adds a couple complicating factors here, though:

 * If there are certain sites where it isn't mandatory, there'd have to be
 a way to ensure that you couldn't just login to a single-factor site and
 then browse over to a multi-factor site without passing the additional
 factor.

 * Similarly, it will also need to account for the fact that users have
 different roles on different sites. So, someone whose a Subscriber on site
 A and administrator on site B should be required to pass the second factor
 when logging into site B, even if they're already logged in from site A.

 '''How?'''
 Google Authenticator and Duo Security are the first two that come to mind,
 but there may be others that would fit well. Both have existing WP plugins
 that could potentially be leveraged one way or another.

 Another option might be to use WordPress.com Connect. That would mean
 relying on an external service, though, and we'd need a way to enforce
 that the targeted users have 2FA enabled on their account.

 '''What else?'''
 What other issues are there that need to be addressed?

--
Ticket URL: <http://meta.trac.wordpress.org/ticket/77>
Making WordPress.org <http://meta.trac.wordpress.org/>
WordPress blogging software


More information about the wp-meta mailing list