Actually I consider to be sensitive the google account linked to my mobile phone :|
also lots of people might have no compatible devices. Vito 2016-11-12 15:30 GMT+01:00 Amir Ladsgroup <ladsgr...@gmail.com>: > There is no need to store phone number at all. > You need to install an app called "Google Authenticator" or similar ones. > Then you scan a QR code from a special page in Wikipedia. Then every time > you want to login, you need to give username, password and a short-lived > token the app gives you. See this for more details: > https://lists.wikimedia.org/pipermail/labs-announce/2016-March/000104.html > > > > On Sat, Nov 12, 2016 at 5:38 PM Fæ <fae...@gmail.com> wrote: > > Good point Vito, > > I agree that mobile numbers are personal information. However, my > understanding of the two-factor process would be that it can set up so > that mobile numbers are *guaranteed* to never be logged or archived > and only stored in a constrained way for a verification number to be > issued. There are various ways of getting two-factor processes to > work, so methods that do not rely on mobile numbers may suit > volunteers that are worried about sending their mobile phone number to > any server in the USA, where there are always questions about secret > access and storage for government agencies. > > We can require that guarantees are given and transparently assured for > how any personal information like this is handled by WMF implemented > software. It could even be an area that requires legally meaningful > assurance, or local processing to avoid, say, Europeans sending any > personal data to the USA. ;-) > > Fae > > On 12 November 2016 at 13:53, Vi to <vituzzu.w...@gmail.com> wrote: > > My phone number is something I consider highly sensitive. Linking this > kind > > of data to my online identity would be an unacceptable risk for me. > > > > Vito > > > > 2016-11-12 13:37 GMT+01:00 Amir Ladsgroup <ladsgr...@gmail.com>: > > > >> As far as I know 2FA is already implemented and mandatory for WMF staff > >> accounts and wikitech accounts. https://phabricator.wikimedia. > org/T107605 > >> > >> I emphasized on having 2fa for CUs, oversights and others with private > data > >> access: https://phabricator.wikimedia.org/T107605#2570342 > >> Not sure what's blocking this. > >> > >> Best > >> > >> On Sat, Nov 12, 2016 at 3:57 PM Craig Franklin < > cfrank...@halonetwork.net > > > >> wrote: > >> > >> > I know it's been said many times, but two-factor authentication, > >> mandatory > >> > for accounts with advanced privileges and optionally available for > >> everyone > >> > else, would seem to be a logical step. It's not foolproof, but it > would > >> go > >> > a long way to making us less of a soft target. > >> > > >> > Cheers, > >> > Craig > >> > > >> > On 12 November 2016 at 22:22, Fæ <fae...@gmail.com> wrote: > >> > > >> > > Do any of the volunteers contributing to this list have ideas for > >> > > changes that may make a significant difference to security? > >> > > > >> > > Yesterday saw Jimmy Wales' Wikipedia account getting hacked, in the > >> > > process appearing to promote an organisation.[1] It was not the only > >> > > account compromised. This is being analysed, though as there are > >> > > security issues being examined, the analysis has not been made > public > >> > > so far; plus it's the weekend :-) > >> > > > >> > > Over the last few years, there have improvements on account set-up > and > >> > > choice of passwords, along with user suggestions for better account > >> > > management. Users can also chose to use committed identities[2] to > >> > > make account recovery easier, and are encouraged to use more secure > >> > > passwords. Two-factor authentication,[3] such as using mobile phone > >> > > text messages, has been suggested a few times by volunteers, and > this > >> > > might be a good moment to encourage the WMF to have better > facilities > >> > > built into the projects. We could even make two-factor > identification > >> > > a requirement for trusted users, such as administrators, important > >> > > bots, and "high profile" accounts, where they may have special > rights > >> > > that could cause a fair amount of disruption if a hacked account > were > >> > > not identified quickly. Considering that some administrator accounts > >> > > can lie dormant for many months without the actual user monitoring > it, > >> > > these could end up being far more disruptive than well-watched > >> > > accounts like Jimmy's. > >> > > > >> > > We may want extra security to remain mostly optional, keeping our > >> > > projects simple to access. Education of new volunteers and trusted > >> > > users may be critical for making it effective, such as avoiding > social > >> > > hacking. A clearer understanding of what the community would want to > >> > > see improved would probably help set development priorities. > >> > > > >> > > Links > >> > > 1. https://en.wikipedia.org/wiki/User_talk:Jimbo_Wales#Compromised > >> > > 2. https://en.wikipedia.org/wiki/Template:Committed_identity > >> > > 3. https://en.wikipedia.org/wiki/Multi-factor_authentication > >> > > > >> > > Thanks, > >> > > Fae > >> > > -- > >> > > fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae > >> > > > >> > > _______________________________________________ > >> > > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/ > >> > > wiki/Mailing_lists/Guidelines > >> > > New messages to: Wikimedia-l@lists.wikimedia.org > >> > > Unsubscribe: https://lists.wikimedia.org/ > mailman/listinfo/wikimedia-l > , > >> > > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject= > unsubscribe> > >> > _______________________________________________ > >> > Wikimedia-l mailing list, guidelines at: > >> > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines > >> > New messages to: Wikimedia-l@lists.wikimedia.org > >> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l > , > >> > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > >> _______________________________________________ > >> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > >> wiki/Mailing_lists/Guidelines > >> New messages to: Wikimedia-l@lists.wikimedia.org > >> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > >> <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > > -- > fae...@gmail.com https://commons.wikimedia.org/wiki/User:Fae > > _______________________________________________ > Wikimedia-l mailing list, guidelines at: > https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ > Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ > wiki/Mailing_lists/Guidelines > New messages to: Wikimedia-l@lists.wikimedia.org > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, > <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe> > _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe>
