[wp-meta] [Making WordPress.org] #77: Setup two-factor authentication for privileged WordPress accounts
Making WordPress.org
noreply at wordpress.org
Tue Jan 30 06:16:44 UTC 2018
#77: Setup two-factor authentication for privileged WordPress accounts
------------------------------------+------------------
Reporter: iandunn | Owner:
Type: enhancement | Status: new
Priority: high | Milestone:
Component: Login & Authentication | Resolution:
Keywords: |
------------------------------------+------------------
Comment (by dd32):
Remaining questions about implementation that come to my mind:
- Do we support a way for a user to disable 2FA when they've lost their
access?
- Automated reset-password email style with a time-delay, or do we
require that they email the password-resets supportpress?
- Do we want to support backup codes? How should they work?
- Should a backup code be treated the same as logging in normally with
a 2FA device or is it more limited?
- Where do users manage the 2FA process?
- Personally I think this is a good time to introduce
`login.wordpress.org/my-account` where we can have this kind of thing (and
future account-related stuff). That would allow a future
`profiles.wordpress.org` to be a read-only service which would simplify
things a bit.
- How does WordCamp.org/BuddyPress.org/bbPress.org/SVN fit into this?
- IMHO the other *.org properties should be updated to login through
`login.wordpress.org` with a SSO redirect back to the property.
- SVN access, other HTTP Basic Auth, Trac XML-RPC, etc. would bypass
2FA requirements initially, with future iterations to find a solution
there
- SVN: svn+ssh is the only way to do a 2FA challenge
- Alternatively, application-passwords also fit this purpose.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/77#comment:13>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list