Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce 2FA for privileged accounts #6

Open
4 of 9 tasks
iandunn opened this issue Nov 3, 2022 · 6 comments
Open
4 of 9 tasks

Enforce 2FA for privileged accounts #6

iandunn opened this issue Nov 3, 2022 · 6 comments
Assignees
Milestone

Comments

@iandunn
Copy link
Member

iandunn commented Nov 3, 2022

Core/Meta committers, super-admins, project leaders, committers to plugins w/ > 50k active installs, etc should be required to use 2FA of some kind. How strict we are should depend on what kind of access they have.

  • Require for super admins
  • Require for WordCamp super deputies
  • Require for WordCamp subroles
  • Disable on production for beta testing
  • Enable on production once launches for all users
  • (optional) Reorganize capes.php to make it easier to work with
  • Determine which other roles should require it
  • Require it for those roles
  • Explore the idea of encouraging (but not requiring) it for some roles - probably open a separate ticket for that

Related:

@iandunn iandunn added this to the MVP milestone Nov 3, 2022
@iandunn
Copy link
Member Author

iandunn commented Nov 3, 2022

Related: wpcom_vip_two_factor_filter_caps() from https://github.com/Automattic/vip-go-mu-plugins/blob/develop/two-factor.php

@iandunn
Copy link
Member Author

iandunn commented Nov 3, 2022

Rough idea:

  • Default is opt-in
  • Encouraged if
    • Make team representative
    • Admin on any w.org/wordcamp.org site
  • Mandatory with TOTP or hardware key+webauthn if:
    • has write access to a github.com/wordpress repo
    • plugin has more than X installs
    • theme has more than Y installs
    • wordcamp trusted deputy
  • Mandatory using hardware key + webauthn if:
    • has write access to (core|build|meta|dotorg|wordcamp|code).svn.w.org
    • w.org super admin
    • admin access to any github.com/wordpess repo
    • any other form of leadership – josepha, matt, chloe, matias, etc

Requiring a hardware key for the highest privilege group would prevent phishing. Most folks will never buy one though, so it’s important to not push it too hard. Maybe we give frequent contributors a coupon code so they can buy one on mercantile.w.org for the cost of shipping, or half price or something.

@iandunn iandunn mentioned this issue Nov 11, 2022
15 tasks
@iandunn
Copy link
Member Author

iandunn commented Nov 11, 2022

To facilitate this, we may want to reorganize capes.php, so it has a group of functions like get_core_committers(), get_meta_committers(), get_wordcamp_deputies(), etc. They'd return an array of usernames, and could be used for the existing watch/supes logic. They could also be used by this plugin to define who needs to have 2FA enabled.

@iandunn iandunn self-assigned this Nov 14, 2022
@iandunn
Copy link
Member Author

iandunn commented Nov 14, 2022

The upstream PR needs a good amount of work IMO, so in this case it might be better if we build those parts here for the MVP, and contribute them upstream later. So this would do 3 things:

  1. Check if the logged in user needs to enable 2FA
  2. Remove their capabilities. This is necessary even though we'll redirect them, because otherwise they could still perform privileged actions on the front end, via the REST API, etc
  3. Redirect them to the (front-end) page where they can enable it. The URL of that is still TBD, so we could just use the wp-admin profile for now, and update it once it exists.

@tellyworth
Copy link

Some of this belongs in later iterations IMO. Some of the underlying code probably needs to be in place (eg to avoid bypassing 2FA for accounts that have already enabled it), but 100% opt-in should be fine for the initial MVP release.

iandunn added a commit that referenced this issue Nov 30, 2022
@iandunn iandunn modified the milestones: MVP, Iteration 1 Nov 30, 2022
@iandunn
Copy link
Member Author

iandunn commented Nov 30, 2022

👍🏻 I disabled the 2FA requirement in production environments in d00ba1b, and moved this issue to the Iteration 1 milestone.

Some of the underlying code probably needs to be in place (eg to avoid bypassing 2FA for accounts that have already enabled it)

d00ba1b made 2FA opt-in, but shouldn't prevent anyone from setting it up, or using it once it's enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants