Thanks for the good news about OATH. Are WMF staff required to use some form of authentication in addtion to a password for their email and other sensitive accounts? Now might be a good time to look at the security of staff account access. I would think about requiring Google's standard two factor authentication via password and cell phone.
Of course mobile phone security should also be considered. Encrypting all mobile phones (and other mobile devices like tablets and laptops) used for Foundation business would be good as well. Pine Pine On Aug 7, 2014 2:04 PM, "Chris Steipp" <cste...@wikimedia.org> wrote: > On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo <tylerro...@gmail.com> wrote: > > In terms of external authentication, we need Extension:OpenID to catch > up to the OpenID standard in order to do that. > > > > In terms of two-factor, I have like eight patches for Extension:OATHAuth > attempting to make it production-worthy. > > > > https://gerrit.wikimedia.org/r/132783 > > Nice! I hadn't realized you had got so far on this. Maybe Ryan and I > can get those merged in... > > To address Risker's comment, OATH is an open standard with lots of > tools to generate the tokens, so you can use a secure token if you > want to be more secure, or a browser plugin if you're just worried > about someone stealing your password (which would significantly help > our threat model in countries where we can't force https). > > Client TLS certificates are sadly really hard to manage in any sort of > secure way, when you don't control the end user's machines. > > > -- > > Tyler Romeo > > 0x405D34A7C86B42DF > > > > From: svetlana <svetl...@fastmail.com.au> > > Reply: Wikimedia developers <wikitech-l@lists.wikimedia.org>> > > Date: August 6, 2014 at 7:57:12 > > To: wikitech-l@lists.wikimedia.org <wikitech-l@lists.wikimedia.org>> > > Subject: Re: [Wikitech-l] News about stolen Internet credentials; > reducing Wikimedia reliance on usernames and passwords > > > > On Wed, 6 Aug 2014, at 21:49, Andre Klapper wrote: > >> On Tue, 2014-08-05 at 22:05 -0700, Pine W wrote: > >> > After reading this [1] I am wondering if Wikimedia should start taking > >> > steps to reduce reliance on usernames and passwords. > >> > >> What "steps" do you refer to, or is this intentionally vague? > >> Disallowing usernames and logins? > >> Two-step authentication/verification? > >> Something else? > >> > >> andre > > > > from what i could read and parse: > > use less of external things like skype and google accounts > > so that there is only 1 username for everything > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
