Closed Bug 1473269 Opened 6 years ago Closed 6 years ago

Do not require MFA to be enabled on Bugzilla to use Phabricator

Categories

(Conduit :: Phabricator, enhancement)

Product:
Conduit
Component:
Phabricator
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: Fallen, Unassigned)

References

Details

Given Phabricator/Lando will allow access to features that should require enhanced security precautions it is clear that we need MFA. We currently delegate auth to Bugzilla, which means that to use Phabricator, MFA needs to be enabled on Bugzilla. As a result, a few community members have voiced concerns that they do not want to use Phabricator because they do not want to enable MFA on Bugzilla. The reasoning is that they are not always logged in to bugzilla on all devices they use, and they would have to find and use their MFA keys, just to make a comment on a bug. It would be great if we could do something to not require MFA on Bugzilla, possibly allowing for a configuration where MFA can be enabled only for use of Phabricator.
i understand the concerns however i think this is a wontfix. the implications of this request, if fulfilled, are wider in reach than you may initially think (particularly around administration and support). that said it's on our agenda for this week's team meeting to discuss; we'll let you know the outcome.
this was discussed; we will reach out to contributor engagement to gather more information from before making a decision.
Thanks for going the extra mile to resolve this, looking forward to their input and your decision!
I talked to Mike Hoye, Engineering Community Manager. This is the consensus we reached: First, anyone using Phabricator is authoring patches, reviewing patches, and/or accessing confidential patches. As noted, we feel MFA is a reasonable burden for these people given the importance of maintaining secure processes in the development of Firefox and other Mozilla apps. Second, given that Bugzilla is coupled to Phabricator, and a lot of important discussion around bugs and solutions also happens in Bugzilla, including confidential discussions, anyone involved in the above activities on Phabricator should also have equal protections when accessing Bugzilla. Thus we're going to leave the auth system as it is presently. If there are any specific community members who have voiced concerns, please direct them to Mike Hoye, who can work with them to best solve their issues.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Will do, thank you for considering, as well as the thorough explanation!
Hi, I'm the Thunderbird sheriff. I land patches for Thunderbird, mostly using splinter so far and |hg qimport bz:xxx|. Today I tried to set up "hg phabread" according to https://www.mercurial-scm.org/wiki/Phabricator#Setting_up_hg. I managed to get everything going (had to upgrade Mercurial to 4.7.1 to be compatible with their phabricator.py). In the end I can't use "hg phabread" since it requires a token that I can only obtain after logging to Phabricator which I can't since my BMO account has not MFA, and I prefer it to stay that way since it's important for me to have access on all sorts of devices away from the office. I tried "Lando" and surprisingly enough it allowed me to land a patch using LDAP Level 3 access. Can you please explain the logic to me: - I can access a non-secure bug and import the raw diff which I can then equip with a header and land. - I can use Lando. - I cannot use "hg phabread". I've read comment #4 but the comparison above doesn't appear to have logic. Another question: Will all Firefox volunteers submitting patches in Phabricator now require BMO MFA? That seems like a huge draw-back? Or am I missing something?
Flags: needinfo?(mcote)
Ah well, I switched BMO MFA on, all working now, I already have FreeOTP for LDAP auth. Might be a hurdle for the average contributor to submit a simple (first) patch.
Flags: needinfo?(mcote)
I agree (as an external somewhat long-time contributor) that it's confusing. I tried to 'enable' my phabricator account linked to bugzilla (since i'm afraid at some point it'll be a hard requirement to send patches..), for which i had to enable MFA in bugzilla (to my understanding at that point, this was just needed for phabricator, but at least there's freeotp in f-droid), and the next time i tried logging to bugzilla on another machine, it *required* me to use MFA again, so i had to reach for my device, enable wifi on it, get the code, etc... cumbersome i'd say. Oh well, this is 2018...
I love Phabricator. and I think your integration with bugzilla is really great. Congratulations for me. I'd love to use phab for Mozilla reviews. But a number of reviewers are reluctant to use it, because it requires 2 factor auth to be enabled in bugzilla. That's a real obstacle for them. If they need to change their way to work (or to log in) just for me and for my review or just for phab, they won't do it. This really hinders adoption of phab. There are reasons why one would not want 2FA: one of my reviewers doesn't have any smartphone. I myself have too many and never the same one. I need to have 2FA in bugzilla for security bugs, and it's a real problem in practice. I am very often blocked from responding on bugzilla (to non-security bugs), because I can't authenticate. There will *never* be any single device that I have in every circumstance, so the whole idea of "tie login to some hardware" doesn't work for me, inherently. Jörg expressed a similar notion in comment 6. Maybe it would help to have a more fine-grained system that only requires 2FA to see secret diffs that are would also require 2FA in bugzilla. I would just like to use Phab. Right now, I cannot. This bug here is one reason.
I switched BMO's MFA on in early September 2018 and it's been a pleasant surprise. It's minimally intrusive. I've perhaps had to use FreeOTP (a felt) five times, once last Saturday when we all got logged out, once on a new device, once at the start with and perhaps twice more. I was assured you can switch it off if you switched it on voluntarily, so give it a try.
I do have 2FA turned on on bugzilla, involuntarily, for Thunderbird security bugs. And it has been one reason why I often could not respond to bugmail that I read on my phone, so it did very concretely reduce my contributions. I didn't do a number of review comments just because of my inability to log in to bugzilla. I can actually use Phab, and I do. I just find that my reviewers don't want to use it for this reason. Thus my feedback here. It's not my personal peeve. I am only trying to help wider Phab adoption, that's my only goal.
As a related aside, fixing bug 1407897 would help some people (eliminate the need to have/to carry a smartphone), and have the added benefit of protecting against spear-phishing.
See Also: → 1407897
Suggestion: 2FA appears to be mostly against people who remember and consequently re-use passwords. If phab (or bugzilla) was to *assign* strong passwords to developers, instead of accepting an entered password, it would resolve most of the problems. Not everything, but probably "good enough". I don't think any dev would oppose that. I would be a good compromise.
(In reply to Ben Bucksch (:BenB) from comment #13) > Suggestion: 2FA appears to be mostly against people who remember and > consequently re-use passwords. That may or may not be the primary concern, but I bet also of concern are spear-phishing and mitm attacks (e.g. due to dismissing a security warning, or due to a rogue/hacked cert authority). Spear-phishing is getting so advanced nowadays even security pros are being taken in, and if people are reusing passwords we should probably also worry about them bypassing cert warnings. Then there's also being observed entering your password (e.g. "shoulder-surfing", perhaps via cctv in an internet cafe or other type of recording in other places), malware, etc. > If phab (or bugzilla) was to *assign* strong > passwords to developers, instead of accepting an entered password, it would > resolve most of the problems. Not everything, but probably "good enough". I > don't think any dev would oppose that. I'm not sure this is true either. This implies using a password manager, and you still get people arguing against password managers (perhaps validly in the case of lastpass), or arguing that [the one they would favor] is too cumbersome to use when you have multiple devices.
> I bet also of concern are spear-phishing and mitm attacks Then bug 1500618 is a real concern. > there's also being observed entering your password And there are phones with your 2FA key being lost and stolen, so that's actually worse than a strong password.
You need to log in before you can comment on or make changes to this bug.