User:Risker/Sandbox99

When it comes to 2FA, people need to understand what Mediawiki is offering. Right now, it's not anywhere near state-of-the-art; it was written by a former WMF employee and is now maintained by a mix of staff and volunteers, none of whom are responsible for the long-range development of the extension. The WMF is already taking steps to make it *required* usage without taking any responsibility for it. That's well below the standard any of us should expect for security software. In order for it to be a proper fit for the worldwide, diverse movement it is intended to support, the following steps can and should be taken:


 * 1) A WMF department needs to take ownership of the extension, and take responsibility for its ongoing development, improvement, maintenance and user support.
 * 2) It needs to be modified so that it stands alone, without any upload of software or use of specific hardware. That is, it shouldn't be dependent on using the right computer or having two pieces of electronics such as a computer and a smartphone.
 * 3) The WMF needs to commit resources to ensuring that there is 24/7, easily reached user support. Right now, there is no clear pathway to obtaining support. This becomes increasingly important as more and more users with limited technical proficiency and/or who don't have a personal point of contact high up in the WMF technical support system are pushed to use 2FA.  It should be assigned to people who can see a user through the entire process, all the way from communicating with users to resetting passwords/2FA.
 * 4) Generation of scratch codes needs to be easy and able to be done without disabling 2FA, as necessary with the current software. After all, if 2FA mandatory, the user can't disable it in order to generate new scratch codes.
 * 5) It needs to work in a simple and streamlined way for users who do most of their work from phones.
 * 6) It needs to be a no-cost solution. Any user should be able to use it anywhere in the world without worrying about hardware costs, software costs, or data/texting/SMS costs. They need to be able to use it on any computer at any time, anywhere, provided they have an internet connection. It needs to not be dependent in any way on mobile phone networks.

These things are all possible. They are, however, entirely dependent on the WMF taking the bull by the horns and redesigning the 2FA system so that it is streamlined, cost-free, easy to use and well-supported. When the WMF has over 100 software developers on staff, and their own Security department is urging the use of 2FA, there's really no excuse not to do this.

And frankly...I don't really see much point in requiring admins to have 2FA when we don't even require them to have a durable email address attached to their account.