Making WordPress.org

Opened 4 years ago

Last modified 12 months ago

#77 new enhancement

Setup two-factor authentication for privileged WordPress accounts

Reported by: iandunn Owned by:
Milestone: Priority: normal
Component: Login & Authentication Keywords:


All WordPress accounts on the various community sites should be required to pass multiple auth factors when logging in, if they could potentially cause trouble in the event that they were hacked. The existing measures are great, but 2FA would provide an extra layer of protection, without placing an unreasonable burden on users.

Definitely Admins and Super Admins, but possibly also Editors. Maybe it shouldn't be mandatory for admins on individual WordCamp.org sites, but it should at least be an option.

The SSO adds a couple complicating factors here, though:

  • If there are certain sites where it isn't mandatory, there'd have to be a way to ensure that you couldn't just login to a single-factor site and then browse over to a multi-factor site without passing the additional factor.
  • Similarly, it will also need to account for the fact that users have different roles on different sites. So, someone whose a Subscriber on site A and administrator on site B should be required to pass the second factor when logging into site B, even if they're already logged in from site A.

Google Authenticator and Duo Security are the first two that come to mind, but there may be others that would fit well. Both have existing WP plugins that could potentially be leveraged one way or another.

Another option might be to use WordPress.com Connect. That would mean relying on an external service, though, and we'd need a way to enforce that the targeted users have 2FA enabled on their account.

What else?
What other issues are there that need to be addressed?

Change History (10)

#1 @Otto42
4 years ago

Recently I've found that Duo Security does not have individual user device management capabilities. Meaning that administrator intervention is required for a user to, say, get a new phone and hook up Duo on the new device.

I'll audit the existing Google Authenticator code and see how well it works for this task. The Authenticator system is not centrally managed and thus probably a better fit.

#2 @iandunn
4 years ago

There's also WordPress.com's Google Auth implementation that we could borrow from. Let me know if you want me to send you a copy of it.

One benefit it has over the Google Auth plugin in the repo is that it only prompts for the auth code if the user has 2FA enabled on their account. That's something we'd have to modify the repo plugin to do before we could use it, otherwise users would be confused about what to do with the extra input field.

#3 @Otto42
4 years ago

@iandunn: Sure, email me a copy of that. I've been looking at the plugin in the repo and how we can improve it for generic use all-around, sort of thing.

#4 @iandunn
4 years ago

Cool, there's also a thread for updating the repo plugin so that the prompt is on a second page.

This ticket was mentioned in IRC in #wordpress-meta by sams. View the logs.

4 years ago

#6 @Otto42
4 years ago

This will be easier to do when we get more of the site running similar versions of software. Right now, we're running like 3 different bbPress versions, a couple different WordPress versions, etc. Suggest leaving this off for now until we unify more things.

#7 @samuelsidler
2 years ago

  • Priority changed from normal to high

With the 2FA feature plugin in-progress, we should probably use that.

This ticket was mentioned in Slack in #meta by ocean90. View the logs.

23 months ago

#9 @ocean90
23 months ago

  • Component changed from General to login.wordpress.org
  • Priority changed from high to normal

#10 @dd32
12 months ago

FWIW; This should go ahead even if we can't bring 2FA to SVN access immediately.
Something is better than nothing, and we can iterate on adding either a SVN token or proper 2FA challenges for commits after.

Note: See TracTickets for help on using tickets.