[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts

Making WordPress.org noreply at wordpress.org
Tue Jan 30 06:16:44 UTC 2018


#77: Setup two-factor authentication for privileged WordPress accounts
------------------------------------+------------------
 Reporter:  iandunn                 |       Owner:
     Type:  enhancement             |      Status:  new
 Priority:  high                    |   Milestone:
Component:  Login & Authentication  |  Resolution:
 Keywords:                          |
------------------------------------+------------------

Comment (by dd32):

 Remaining questions about implementation that come to my mind:
  - Do we support a way for a user to disable 2FA when they've lost their
 access?
     - Automated reset-password email style with a time-delay, or do we
 require that they email the password-resets supportpress?
  - Do we want to support backup codes? How should they work?
     - Should a backup code be treated the same as logging in normally with
 a 2FA device or is it more limited?
  - Where do users manage the 2FA process?
    - Personally I think this is a good time to introduce
 `login.wordpress.org/my-account` where we can have this kind of thing (and
 future account-related stuff). That would allow a future
 `profiles.wordpress.org` to be a read-only service which would simplify
 things a bit.
  - How does WordCamp.org/BuddyPress.org/bbPress.org/SVN fit into this?
    - IMHO the other *.org properties should be updated to login through
 `login.wordpress.org` with a SSO redirect back to the property.
    - SVN access, other HTTP Basic Auth, Trac XML-RPC, etc. would bypass
 2FA requirements initially, with future iterations to find a solution
 there
      - SVN: svn+ssh is the only way to do a 2FA challenge
      - Alternatively, application-passwords also fit this purpose.

--
Ticket URL: <https://meta.trac.wordpress.org/ticket/77#comment:13>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org


More information about the wp-meta mailing list