{P92465}

Change #1286469 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[operations/mediawiki-config@master] Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3

https://gerrit.wikimedia.org/r/1286469

Change #1286469 merged by jenkins-bot:

[operations/mediawiki-config@master] Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3

https://gerrit.wikimedia.org/r/1286469

Mentioned in SAL (#wikimedia-operations) [2026-05-12T20:03:35Z] <alexsanford@deploy1003> Started scap sync-world: Backport for [[gerrit:1285905|Enforce 2FA requirements for phase 2 groups (T423119)]], [[gerrit:1286469|Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3 (T423119 T423120)]]

Mentioned in SAL (#wikimedia-operations) [2026-05-12T20:05:31Z] <alexsanford@deploy1003> alexsanford: Backport for [[gerrit:1285905|Enforce 2FA requirements for phase 2 groups (T423119)]], [[gerrit:1286469|Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3 (T423119 T423120)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2026-05-12T20:15:22Z] <alexsanford@deploy1003> Finished scap sync-world: Backport for [[gerrit:1285905|Enforce 2FA requirements for phase 2 groups (T423119)]], [[gerrit:1286469|Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3 (T423119 T423120)]] (duration: 11m 47s)

Change #1287453 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[mediawiki/extensions/WikimediaMessages@master] Add messages related to mandatory 2FA for more groups

https://gerrit.wikimedia.org/r/1287453

Change #1287453 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Add messages related to mandatory 2FA for more groups

https://gerrit.wikimedia.org/r/1287453

Change #1293161 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[operations/mediawiki-config@master] Enforce 2FA requirements for phase 3 groups

https://gerrit.wikimedia.org/r/1293161

What happens if someone doesn't have 2FA after 2FA is turned on? Does the account become de facto disabled for doing everything until it's turned on?

I was kind of expecting to see 2FA associated with user rights rather than user groups, that way user rights could be marked as 2FA required / blocked when the user doesn't have 2FA, without affecting the rest of the account. But on the technical side, enforcement appears to be by user groups?

In T423120#11956067, @Novem_Linguae wrote:

What happens if someone doesn't have 2FA after 2FA [enforcement – I guess] is turned on? Does the account become de facto disabled for doing everything until it's turned on?

For simplicity, assume we're talking about a bureaucrat who don't have 2FA (for other groups in question it works the same). The way we are deploying the config:

• For initial 2 weeks the account will be able to do all actions as if they weren't bureaucrat (but had other groups they have). For instance, they are perfectly able to edit pages, block users (if they are admin). Their membership in bureaucrat group is disabled – until they enable 2FA. Once they enable 2FA, their 'crat membership is automatically enabled. From that point on, they won't be able to completely disable 2FA on their account (as long as they are member of a 2FA-requiring group).
• After the initial 2 weeks, we enable automatic demotion. All bureaucrats, who haven't enabled 2FA yet, will actually lose membership in that group. From that point on, if they enable 2FA, they won't get 'crat permissions back automatically. Instead, they have to be manually added to the group.

To make it clear, I'll stress it out – the 2FA enforcement we're deploying in this task is only about being able to use rights provided by certain sensitive groups, not about preventing access to wiki at all.

I was kind of expecting to see 2FA associated with user rights rather than user groups, that way user rights could be marked as 2FA required / blocked when the user doesn't have 2FA, without affecting the rest of the account. But on the technical side, enforcement appears to be by user groups?

Yes, enforcement is by user groups, as we're unable to partially revoke user membership in a group. But this part "without affecting the rest of the account" still holds – we're not affecting the account as a whole, only the group configured to require 2FA.

The old 2FA enforcement mechanism (that was active since spring 2025 until March 2026) was rights-based. While it did encourage active users to enable 2FA to use their sensitive permissions, it did not actually secure inactive accounts (those who had their permissions left in a disabled state). If an attacker took over such account, they would be able to configure 2FA on such account and freely use the sensitive permissions. The current approach ensures that all sensitive rights holders either configure 2FA or lose potential access to the rights (without explicit action by someone else).

In T423120#11956587, @mszwarc wrote:

The old 2FA enforcement mechanism (that was active since spring 2025 until March 2026) was rights-based. While it did encourage active users to enable 2FA to use their sensitive permissions, it did not actually secure inactive accounts (those who had their permissions left in a disabled state). If an attacker took over such account, they would be able to configure 2FA on such account and freely use the sensitive permissions. The current approach ensures that all sensitive rights holders either configure 2FA or lose potential access to the rights (without explicit action by someone else).

Ah I didn't think of that. That makes sense. Thanks for the explanation.

For the technically curious, looking at the patches, looks like all this is done with the $wgRestrictedGroups config variable.

In T423120#11956633, @Novem_Linguae wrote:

For the technically curious, looking at the patches, looks like all this is done with the $wgRestrictedGroups config variable.

That's right.

Change #1293161 merged by jenkins-bot:

[operations/mediawiki-config@master] Enforce 2FA requirements for phase 3 groups

https://gerrit.wikimedia.org/r/1293161

Mentioned in SAL (#wikimedia-operations) [2026-05-26T20:09:19Z] <alexsanford@deploy1003> Started scap sync-world: Backport for [[gerrit:1293161|Enforce 2FA requirements for phase 3 groups (T423120)]], [[gerrit:1293794|Re-enable ReadingLists survey on beta cluster (T426781)]]

A more user-friendly view of $wgRestrictedGroups is available at https://meta.wikimedia.org/wiki/Special:ListGroupRights#restricted_groups (for local groups, differs from wiki to wiki) and https://meta.wikimedia.org/wiki/Special:GlobalGroupPermissions#restricted_groups (for global groups)

Mentioned in SAL (#wikimedia-operations) [2026-05-26T20:11:15Z] <alexsanford@deploy1003> alexsanford, aude: Backport for [[gerrit:1293161|Enforce 2FA requirements for phase 3 groups (T423120)]], [[gerrit:1293794|Re-enable ReadingLists survey on beta cluster (T426781)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2026-05-26T20:18:34Z] <alexsanford@deploy1003> Finished scap sync-world: Backport for [[gerrit:1293161|Enforce 2FA requirements for phase 3 groups (T423120)]], [[gerrit:1293794|Re-enable ReadingLists survey on beta cluster (T426781)]] (duration: 09m 14s)

{P92465}

I don't see this explicitly stated anywhere, but a comment above mentions 2 weeks, and there was a scap sync-world (whatever that means) on May 26. Does this mean these demotions will take effect on June 9? And is that simultaneously on all WMF projects, disregarding the normal staggered weekly deployment? (I'm not personally affected, but there was a post on the svwiki village pump about this, and I'd just like to make sure I understand the situation correctly)

In T423120#11989813, @Nirmos wrote:

I don't see this explicitly stated anywhere, but a comment above mentions 2 weeks, and there was a scap sync-world (whatever that means) on May 26. Does this mean these demotions will take effect on June 9? And is that simultaneously on all WMF projects, disregarding the normal staggered weekly deployment? (I'm not personally affected, but there was a post on the svwiki village pump about this, and I'd just like to make sure I understand the situation correctly)

About the exact date, I'll defer to @ASanford-WMF, but you can expect that demotions will happen around June 9th. The changes don't follow the normal group-based rollouts, because that schedule refers to installing new MediaWiki versions on wikis. The configuration repository (where we define group restrictions) is common for all wikis. Given that the number of affected users is not that large, we didn't decide to split the phases per usergroup and additionally per wiki.

Change #1298890 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[operations/mediawiki-config@master] Add 2FA enforcement demotion config for phase 3 groups

https://gerrit.wikimedia.org/r/1298890

Change #1298890 merged by jenkins-bot:

[operations/mediawiki-config@master] Add 2FA enforcement demotion config for phase 3 groups

https://gerrit.wikimedia.org/r/1298890

Mentioned in SAL (#wikimedia-operations) [2026-06-11T13:36:36Z] <alexsanford@deploy1003> Started scap sync-world: Backport for [[gerrit:1298890|Add 2FA enforcement demotion config for phase 3 groups (T423120)]]

Mentioned in SAL (#wikimedia-operations) [2026-06-11T13:38:43Z] <alexsanford@deploy1003> alexsanford: Backport for [[gerrit:1298890|Add 2FA enforcement demotion config for phase 3 groups (T423120)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2026-06-11T13:43:56Z] <alexsanford@deploy1003> Finished scap sync-world: Backport for [[gerrit:1298890|Add 2FA enforcement demotion config for phase 3 groups (T423120)]] (duration: 07m 19s)