FY25-26 Q4: Phase 3 of 2FA enforcement in Wikimedia production
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	mszwarc
	Apr 13 2026, 11:34 AM

Description

Per the timeline published on Meta-Wiki, in June 2026, the following groups will have 2FA enforced:

bureaucrat (on SUL wikis; private and fishbowl wikis will have it enabled in Phase 2)

and global groups:

abusefilter-helper (make sure that the 2FA requirement applies only to the global groups; local group with the same name shouldn't require 2FA – use scope option)
abusefilter-maintainer
founder
global-interface-editor
global-sysop
new-wikis-importer
ombuds
staff
sysadmin
u4c-member
wmf-email-block-override
wmf-researcher

Acceptance criteria

Pre-enforcement: (can be done well before)

WikimediaMessages contains relevant messages in form: userrights-restricted-group-<name> and userrights-restricted-group-<name>-private-conditions
$wgOATH2FARequiredGroupRemovalPages is properly configured to address the newly-enforced groups (only for groups that are revoked by someone else than stewards)

Enforcement:

The listed groups can be assigned only to users with 2FA enabled
The listed groups are automatically revoked from members who don't have 2FA

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Enforce 2FA requirements for phase 3 groups	operations/mediawiki-config	master	+41 -0
Add messages related to mandatory 2FA for more groups	mediawiki/extensions/WikimediaMessages	master	+79 -7
Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3	operations/mediawiki-config	master	+11 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
		Restricted Task
Open	None	T150898 Force OATHAuth (2FA) for certain user groups in Wikimedia production and Beta wikis
Open	None	T423116 FY25-26 Q4: 2FA enforcement for local and global groups in Wikimedia production
Open	None	T423120 FY25-26 Q4: Phase 3 of 2FA enforcement in Wikimedia production

Event Timeline

mszwarc created this task.Apr 13 2026, 11:34 AM

mszwarc moved this task from Inbox to Later sprints on the Product Safety and Integrity board.Apr 13 2026, 11:53 AM

mszwarc mentioned this in T391699: Add functionality to disallow bureaucrats who do not have 2fa enabled to grant certain privileged rights/groups.Apr 13 2026, 12:20 PM

Johannnes89 subscribed.Mon, Apr 27, 8:06 PM

{P92465}

Change #1286469 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[operations/mediawiki-config@master] Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3

https://gerrit.wikimedia.org/r/1286469

gerritbot added a project: Patch-For-Review.Tue, May 12, 7:25 PM

Change #1286469 merged by jenkins-bot:

[operations/mediawiki-config@master] Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3

https://gerrit.wikimedia.org/r/1286469

Mentioned in SAL (#wikimedia-operations) [2026-05-12T20:03:35Z] <alexsanford@deploy1003> Started scap sync-world: Backport for [[gerrit:1285905|Enforce 2FA requirements for phase 2 groups (T423119)]], [[gerrit:1286469|Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3 (T423119 T423120)]]

Mentioned in SAL (#wikimedia-operations) [2026-05-12T20:05:31Z] <alexsanford@deploy1003> alexsanford: Backport for [[gerrit:1285905|Enforce 2FA requirements for phase 2 groups (T423119)]], [[gerrit:1286469|Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3 (T423119 T423120)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2026-05-12T20:15:22Z] <alexsanford@deploy1003> Finished scap sync-world: Backport for [[gerrit:1285905|Enforce 2FA requirements for phase 2 groups (T423119)]], [[gerrit:1286469|Prepare $wgOATH2FARequiredGroupRemovalPages for phases 2 and 3 (T423119 T423120)]] (duration: 11m 47s)

Maintenance_bot removed a project: Patch-For-Review.Tue, May 12, 8:31 PM

ASanford-WMF updated the task description. (Show Details)Wed, May 13, 2:15 PM

Change #1287453 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[mediawiki/extensions/WikimediaMessages@master] Add messages related to mandatory 2FA for more groups

https://gerrit.wikimedia.org/r/1287453

gerritbot added a project: Patch-For-Review.Thu, May 14, 5:17 PM

Change #1287453 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Add messages related to mandatory 2FA for more groups

https://gerrit.wikimedia.org/r/1287453

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.3; 2026-05-19).Fri, May 15, 1:00 AM

Maintenance_bot removed a project: Patch-For-Review.Fri, May 15, 1:30 AM

ASanford-WMF updated the task description. (Show Details)Fri, May 15, 1:23 PM

Change #1293161 had a related patch set uploaded (by Alex.sanford; author: Alex.sanford):

[operations/mediawiki-config@master] Enforce 2FA requirements for phase 3 groups

https://gerrit.wikimedia.org/r/1293161

gerritbot added a project: Patch-For-Review.Mon, May 25, 8:12 PM

Izno subscribed.Tue, May 26, 12:58 AM

FY25-26 Q4: Phase 3 of 2FA enforcement in Wikimedia productionOpen, Needs TriagePublicActions