[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts
Making WordPress.org
noreply at wordpress.org
Sun Feb 25 01:03:34 UTC 2018
#77: Setup two-factor authentication for privileged WordPress accounts
------------------------------------+------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: high | Milestone:
Component: Login & Authentication | Resolution:
Keywords: |
------------------------------------+------------------
Comment (by Otto42):
Reading through the various options and ways to do 2FA with SVN, it seems
to me that a form of application passwords is the only way to go. What
with so many tools being scripted and automated methods for people to do
svn operations, if we want to avoid breaking anything, then using
something like application passwords is the only way to do the job.
I'd go so far as to suggest that we generate these application passwords
ourselves and provide the users with a method to regenerate them, but not
to actually set them manually. This way we can ensure that the passwords
are long enough to be secure. An interface would need to exist to provide
the button to regenerate them.
For SVN in particular, we would need to modify the forked *_auth_mysql
library currently in use, or we'd need to change the queries that it uses
so it can find this new svn-specific password and use that.
For security, the app password should only work with the particular use
case (SVN password only works with SVN, you can't log in with it on the
website) and the app in question should start only using that app-specific
password (you can no longer use your website password for SVN commits).
These restrictions would only be in place when 2FA is enabled for that
specific account.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/77#comment:18>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list