|
|
1, 2, 3, 4, 5, 6, 7, 8, 9, 10 |
This page has archives. Sections older than 7 days may be automatically archived by Lowercase sigmabot III. |
For sensitive matters, you may contact an individual bureaucrat directly by e-mail.
The Bureaucrats' noticeboard is a place where items related to the Bureaucrats can be discussed and coordinated. Any user is welcome to leave a message or join the discussion here. Please start a new section for each topic.
This is not a forum for grievances. It is a specific noticeboard addressing Bureaucrat-related issues. If you want to know more about an action by a particular bureaucrat, you should first raise the matter with them on their talk page. Please stay on topic, remain civil, and remember to assume good faith. Take extraneous comments or threads to relevant talk pages.
If you are here to report that an RFA or an RFB is "overdue" or "expired", please wait at least 12 hours from the scheduled end time before making a post here about it. There are a fair number of active bureaucrats; and an eye is being kept on the time remaining on these discussions. Thank you for your patience.
To request that your administrator status be removed, initiate a new section below.
No current discussions. Recent RfAs, recent RfBs: (successful, unsuccessful) |
![]() | It is 04:09:14 on July 9, 2025, according to the server's time and date. |
2FA Checking
[edit]Hello team. Now that phab:T265726 has been delivered, you will be able to use Special:VerifyOATHForUser. A couple of notes:
- Using this tool requires elevated security, meaning you will likely be requested to log back on to use it (don't try it if you aren't somewhere you can log on, or you may be logged out).
- Use of this tool is logged
- Another user's 2FA enrollment status is considered sensitive, and should not be publicly shared
When would you ever use this? The primary use case would be if someone applies for interface-admin, you can use this tool to verify they meet the global requirement of being activated for 2FA prior to issuing access. If they do not, you can privately refer them to the enrollment process (WP:2FA locally).
Best regards, — xaosflux Talk 16:54, 2 July 2025 (UTC)
- I see that use of this tool is limited to bureaucrats. Are 'crats signatories to the ANPDP? Ivanvector (Talk/Edits) 16:59, 2 July 2025 (UTC)
- Not necessarily, however WMF Privacy and Legal determined that this was appropriate. 2FA status isn't quite considered "private", as it does not contain any identifying information. It is sensitive, in that it is security related. — xaosflux Talk 17:01, 2 July 2025 (UTC)
- I should note that it's covered at wmf:Policy:Wikimedia Foundation Access to Nonpublic Personal Data Policy/Exceptions.
Bureaucrats are permitted to access account two-factor authentication (2FA) status to verify whether other users have enabled 2FA prior to being added to groups that require 2FA. Bureaucrats are not covered under the Access to nonpublic personal data policy, but are nonetheless expected to use and disclose account 2FA status only when necessary.
EggRoll97 (talk) 17:16, 3 July 2025 (UTC)- Yup, that and other ANPDP tweaks were with the lawyers for a very long time. — xaosflux Talk 11:05, 6 July 2025 (UTC)
- I should note that it's covered at wmf:Policy:Wikimedia Foundation Access to Nonpublic Personal Data Policy/Exceptions.
- And as far why bureaucrats, the primary use case is in checking before issuing sensitive groups, a task available to that group. (Stewards already use this for global requests). — xaosflux Talk 17:05, 2 July 2025 (UTC)
- Should we add a link to {{rfplinks}} so that it shows up on this page when used? Primefac (talk) 22:29, 4 July 2025 (UTC)
- Seems fine if someone wants to. Users without access to it will just get a permission died issue, in some cases 'crats may get logged out if they click it and then don't complete the log on. — xaosflux Talk 11:05, 6 July 2025 (UTC)
- Should we add a link to {{rfplinks}} so that it shows up on this page when used? Primefac (talk) 22:29, 4 July 2025 (UTC)
- Not necessarily, however WMF Privacy and Legal determined that this was appropriate. 2FA status isn't quite considered "private", as it does not contain any identifying information. It is sensitive, in that it is security related. — xaosflux Talk 17:01, 2 July 2025 (UTC)
- Does the information they can see with this tool contain anything beyond a boolean yes/no flag for whether the user is 2FA-enabled? (E.g. does it show them the phone number used for 2FA or some such thing?) If it's just a boolean answer (and they can't see any personal information), then okay, the policy makes sense. (You don't want, say, a list of admins who are not 2FA to be disclosed because that presents bad actors with a list of accounts to attempt to compromise.) But if they can see anything more than a boolean, then there needs to be at least as much vetting as someone who has access to OTRS. --B (talk) 01:59, 9 July 2025 (UTC)
Wikipedia:Administrator recall/Bbb23
[edit]Per the outcome of Wikipedia:Administrator recall/Bbb23, which closed 30 days ago, I have removed the administrative rights of User:Bbb23. 28bytes (talk) 07:35, 6 July 2025 (UTC)