[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts

Making WordPress.org noreply at wordpress.org
Sun Feb 25 01:36:50 UTC 2018 

#77: Setup two-factor authentication for privileged WordPress accounts
------------------------------------+------------------
 Reporter:  iandunn                 |       Owner:
     Type:  enhancement             |      Status:  new
 Priority:  high                    |   Milestone:
Component:  Login & Authentication  |  Resolution:
 Keywords:                          |
------------------------------------+------------------

Comment (by dd32):

 Replying to [comment:18 Otto42]:
 > Reading through the various options and ways to do 2FA with SVN, it
 seems to me that a form of application passwords is the only way to go.

 Yeah, I've looked through everything, and unless we were to use
 `ssh+svn://` there's no real good way other than Application passwords.

 FYI, our initial intention is that 2FA won't apply to SVN and other
 locations we use Basic auth - that's due to these requiring further
 development around how we actually authenticate it.

 > I'd go so far as to suggest that we generate these application passwords
 ourselves and provide the users with a method to regenerate them, but not
 to actually set them manually. This way we can ensure that the passwords
 are long enough to be secure. An interface would need to exist to provide
 the button to regenerate them.

 Application Passwords should never be generated by an end-user. The
 `application-password` plugin in use on w.org presently (make/hosting for
 the test reporters) generates ''okay'' passwords but could be better.
 I'd also like to extend it to allow us to specify the 'type' of password
 (This is only for SVN, This is only for XML-RPC, etc).

 > For SVN in particular, we would need to modify the forked *_auth_mysql
 library currently in use, or we'd need to change the queries that it uses
 so it can find this new svn-specific password and use that.

 Correct. I haven't discussed this with Systems yet, however I'm thinking
 that using a Subrequest module for auth would be best, for example nginx
 has http://nginx.org/en/docs/http/ngx_http_auth_request_module.html - It'd
 allow us to move the Authentication for SVN into PHP and just use
 WordPress function calls. Theres a few Apache module choices there, but
 those implementation details need to be discussed with Systems directly.
 It'll also allow us to store/use the "Last time this password was used"
 functionality.

--
Ticket URL: <https://meta.trac.wordpress.org/ticket/77#comment:19>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list