[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts
Making WordPress.org
noreply at wordpress.org
Sun Feb 25 01:36:50 UTC 2018
#77: Setup two-factor authentication for privileged WordPress accounts
------------------------------------+------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: high | Milestone:
Component: Login & Authentication | Resolution:
Keywords: |
------------------------------------+------------------
Comment (by dd32):
Replying to [comment:18 Otto42]:
> Reading through the various options and ways to do 2FA with SVN, it
seems to me that a form of application passwords is the only way to go.
Yeah, I've looked through everything, and unless we were to use
`ssh+svn://` there's no real good way other than Application passwords.
FYI, our initial intention is that 2FA won't apply to SVN and other
locations we use Basic auth - that's due to these requiring further
development around how we actually authenticate it.
> I'd go so far as to suggest that we generate these application passwords
ourselves and provide the users with a method to regenerate them, but not
to actually set them manually. This way we can ensure that the passwords
are long enough to be secure. An interface would need to exist to provide
the button to regenerate them.
Application Passwords should never be generated by an end-user. The
`application-password` plugin in use on w.org presently (make/hosting for
the test reporters) generates ''okay'' passwords but could be better.
I'd also like to extend it to allow us to specify the 'type' of password
(This is only for SVN, This is only for XML-RPC, etc).
> For SVN in particular, we would need to modify the forked *_auth_mysql
library currently in use, or we'd need to change the queries that it uses
so it can find this new svn-specific password and use that.
Correct. I haven't discussed this with Systems yet, however I'm thinking
that using a Subrequest module for auth would be best, for example nginx
has http://nginx.org/en/docs/http/ngx_http_auth_request_module.html - It'd
allow us to move the Authentication for SVN into PHP and just use
WordPress function calls. Theres a few Apache module choices there, but
those implementation details need to be discussed with Systems directly.
It'll also allow us to store/use the "Last time this password was used"
functionality.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/77#comment:19>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list