Wikipedia:Bureaucrats' noticeboard

Bureaucrats' noticeboard archives

1, 2, 3, 4, 5, 6, 7, 8, 9, 10 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 21, 22, 23, 24, 25, 26, 27, 28, 29, 30 31, 32, 33, 34, 35, 36, 37, 38, 39, 40 41, 42, 43, 44, 45, 46, 47, 48, 49

This page has archives. Sections older than 5 days may be automatically archived by Lowercase sigmabot III.

The Bureaucrats' noticeboard is a place where items related to the Bureaucrats can be discussed and coordinated. Any user is welcome to leave a message or join the discussion here. Please start a new section for each topic.

This is not a forum for grievances. It is a specific noticeboard addressing Bureaucrat-related issues. If you want to know more about an action by a particular bureaucrat, you should first raise the matter with them on their talk page. Please stay on topic, remain civil, and remember to assume good faith. Take extraneous comments or threads to relevant talk pages.

If you are here to report that an RFA or an RFB is "overdue" or "expired", please wait at least 12 hours from the scheduled end time before making a post here about it. There are a fair number of active bureaucrats; and an eye is being kept on the time remaining on these discussions. Thank you for your patience.

To request that your administrator status be removed, initiate a new section below.

Crat tasks
RfAs	1
RfBs	0
Overdue RfBs	0
Overdue RfAs	0
BRFAs	10
Approved BRFAs	0

Requests for adminship and bureaucratship update

RfA candidate	S	O	N	S %	Status	Ending (UTC)	Time left	Dups?	Report
DreamRimmer	8	3	0	73	Open	10:02, 4 June 2024	4 days, 23 hours	no	report

It is 10:14:47 on May 30, 2024, according to the server's time and date.

• AuburnPilot (current rights · rights management · rights log (local) · rights log (global/meta) · block log)

Hello, all! At some point I apparently added two-factor authentication to my main account, though I don't honestly recall doing it. As such, I don't have a means to obtain authentication codes and no longer have access to my admin account. I'm not sure what the procedure is in this situation, but I don't expect I'll ever be able to access the account again, so it might be best to remove the admin bit. Otherwise, I suppose it'll be removed eventually due to inactivity. I have email enabled on both accounts if some verification is needed. Best, --auburnpilot's sock 19:31, 11 November 2017 (UTC)[reply]

• I think this is a Phabricator thing, not a bureaucrat one. Given this diff we can be certain that User:AuburnPiIot is the same person as User:AuburnPilot. Jo-Jo Eumerus (talk, contributions) 20:03, 11 November 2017 (UTC)[reply]
• I've temporary removed +sysop, per your request above. There are a few options, will reply below in a moment. — xaosflux ^Talk 00:07, 12 November 2017 (UTC)[reply]
• Options:
  1. Verify this is actually a 2FA issue
     1. Are you successfully logging in with your password, but then getting the 2FA prompt?
  2. Regain control of your 2FA account
     1. Consider what device(s) you may have enrolled in 2FA with and see if they still have authentication clients on them
     2. Enrolling in 2FA includes a generation of "scratch codes" - perhaps you wrote these down somewhere as it asked you to
  3. Establish strong support that your alt account is under control of the same person that had control of your admin account - then:
     1. We could move your admin access to another account
     2. You could petition a developer to remove your 2FA configuration : This is generally not supported (c.f. phab:T85706), but is technically possible.
        1. Example ticket phab:T168779,

— xaosflux ^Talk 00:12, 12 November 2017 (UTC)[reply]

Thanks for the quick response! It's definitely a 2FA issue as I'm getting asked for a verification code when logging into the site. Unfortunately, the device I would have used at the time was issued by the company I previously worked for and is no longer in my possession (wiped clean and returned upon leaving the company about 5 months ago).

As for proving the connection between accounts, I'm sure there are several people I've been in contact with off project who could confirm and I have no issue with a CU comparing IPs. I also provided a committed identity at some point in the past. It should be in the deleted history of the userpage for my main account (now to remember the string! haha). Thanks! --auburnpilot's sock 03:03, 12 November 2017 (UTC)[reply]

OK, so that clears #1, and #2. Assuming you want to be an admin again, #3 will be needed, do you want to go for the move to a new account or beg a dev route? Your deleted CI begins with "c0e6" and was from 2007 - this would be useful for either. — xaosflux ^Talk 03:24, 12 November 2017 (UTC)[reply]

Checkuser needed - QCU request placed to request comparison while there is current data. — xaosflux ^Talk 15:45, 12 November 2017 (UTC)[reply]

• I have AuburnPilot and AuburnPiIot on the same IP with the same UA. There is one anon edit to reset the password for the alt account. I believe this is indeed AuburnPilot. :-) Katie^talk 16:22, 12 November 2017 (UTC)[reply]

Thank you KrakatoaKatie - next step is up to AuburnPilot. — xaosflux ^Talk 16:24, 12 November 2017 (UTC)[reply]

Move access

From: AuburnPilot

To: AuburnPiIot

Thanks again, all! By random chance, my admin account was still logged in on the PC in my home office, but I'm still unable to disable the two factor authentication since I can't generate a code. Once this login token expires, I'll be right back in the same spot. It seems like the easiest option would be to simply move the admin access to a different account. Xaosflux: do you think it would be too confusing to flip the bit on the sock account (User:AuburnPiIot) I was using above? Thanks, --auburnpilot talk 23:14, 14 November 2017 (UTC)[reply]

• That is possible - standard 24 hour hold for community comments. — xaosflux ^Talk 00:51, 15 November 2017 (UTC)[reply]
• No issues with this at all I think we can file this under purely routine housekeeping. With 2FA this sort of thing is going to happen from time to time. Because my 2FA is limited to a single device I am always worrying that if something were to happen to it I might get locked out. To that end I have the emergency log in codes in a separate place and I created another account w/o administrator rights so I could log in in case I did not have immediate access to my computer. -Ad Orientem (talk) 02:10, 15 November 2017 (UTC)[reply]

  @Ad Orientem: if you saved your initial two-factor secret key (or re-register and get a new one) you can activate your 2FA on multiple devices. Storing those scratch codes securely is wise! — xaosflux ^Talk 04:33, 15 November 2017 (UTC)[reply]

• Responding to advertisement at WP:AN, no issues as well. AuburnPilot has confirmed that this is them using the original account and by CU. ansh666 03:39, 15 November 2017 (UTC)[reply]
• No concerns. TonyBallioni (talk) 03:43, 15 November 2017 (UTC)[reply]
  • While asking a dev to disable 2FA is an option, I actually think the preferable option is a transfer of rights. I get the scrutiny part, but we should not make it a practice to recommend dev's undoing 2FA, even when CU confirms that the accounts are the same. It is meant to be difficult to break for security reasons, and setting as a principle that we do not disable it except under very rare circumstances beyond the person's control would be a good thing. Since this is also the preference of AuburnPilot, we should just transfer the access between accounts. TonyBallioni (talk) 15:43, 15 November 2017 (UTC)[reply]
• No concerns - any account which can prove themselves to be the same person may ask to have the rights transfered to it. We approve the person at RFA, not the account. עוד מישהו Od Mishehu 08:19, 15 November 2017 (UTC)[reply]
• No worries about this, but we do need a better way of dealing with lost 2fa and transferring 2fa to a new device. It's there anything in phab already related to this? GoldenRing (talk) 08:32, 15 November 2017 (UTC)[reply]

  Does not seem to be the case.--Ymblanter (talk) 08:38, 15 November 2017 (UTC)[reply]

  Transferring 2FA to another device is not hard. I've done it multiple times with my device. It's just that people don't always remember to do so. This is WHY the instructions tell you to print and safeguard the scratch codes, which provides further evidence that people don't read instructions. :) phab:T100375 and related tickets capture some of the problems with regard to problems and the recovery processes. There are also several community wishlist proposals on the topic of 2FA, which I encourage you to vote for when the voting process begins. —TheDJ (talk • contribs) 12:37, 15 November 2017 (UTC)[reply]

  @TheDJ: I recently went through four phones in about a month (due to a series of ridiculous incidents involving badminton, OTA updates and alcohol). Each time, I had to disable 2FA and re-enable it to transfer from one phone to another. Unless I missed something in the process, disabling and re-enabling 2FA makes all your existing scratch codes useless and it generates you a new set. So every time you want to move to a new device, you have to redo your scratch code storage.

  Other providers who use 2FA have a way of transferring code generation from one device to another, so long as you both know the password and have either a scratch code or a working code generator. GoldenRing (talk) 13:54, 16 November 2017 (UTC)[reply]

  @GoldenRing: you should be able to store and reuse your 2FA secret to add additional devices. What is difficult is that it is only shown during enrollment. — xaosflux ^Talk 14:13, 16 November 2017 (UTC)[reply]

• No concerns. Boing! said Zebedee (talk) 13:46, 15 November 2017 (UTC)[reply]
• No concerns. Except for the detestable blue and orange in the editor's sig. Tiderolls 13:54, 15 November 2017 (UTC)[reply]
• Recovering/disabling the 2FA seems like a better option to me, otherwise no concerns. Κσυπ Cyp   14:32, 15 November 2017 (UTC)[reply]
• No concerns, although getting dev to disable the 2FA does seem like a better option because of the history. Being an admin, this is likely more important than not, for the ease of researching past actions, etc. I would strongly prefer the dev route if possible. Dennis Brown - 2¢ 15:32, 15 November 2017 (UTC)[reply]
• Ha, AuburnPilot is still around! NO BLOCK AND DESYSOP JUST TO PISS HIM OFF AND RESTORE AFTER IRON BOWL! Bwahaha. Also, this has me worried a little bit--if I have a similar screw-up I'm not sure what I would do. Drmies (talk) 15:41, 15 November 2017 (UTC)[reply]
  • @Drmies: it worries me also. Make sure you have copies of your scratch codes, and I'd say if you need to use one, you should then turn of 2FA and do it again, getting new scratch codes. That may be being over cautious, but no one wishes to lose their account. Doug Weller talk 17:26, 15 November 2017 (UTC)[reply]
    • Doug, I don't even remember what "scratch codes" were, precisely. I think I may have something saved on my computer at home, maybe. Drmies (talk) 17:33, 15 November 2017 (UTC)[reply]
      • Drmies if u dont have them, simply disable 2FA and enroll once more —TheDJ (talk • contribs) 17:38, 15 November 2017 (UTC)[reply]
        • ...though after all that bother, this ticket is a little concerning! GoldenRing (talk) 13:58, 16 November 2017 (UTC)[reply]
  • Support 2-way I-ban for Tide rolls/Drmies (clearly socks) and AuburnPiIot due to...irreconcilable differences ;) ansh666 19:48, 15 November 2017 (UTC)[reply]
    • ansh, I'm sorry I just blocked your little brother. Drmies (talk) 19:51, 15 November 2017 (UTC)[reply]
    • Confession: I may hold a degree from the greatest university in the state of Alabama, but I will forever be a Bama fan thanks to being raised by parents and siblings who graduated from UA. I was definitely the guy going to class on Auburn's campus wearing a hat signed by Gene Stallings. --auburnpilot's sock 21:29, 15 November 2017 (UTC)[reply]
• No Concern and I'd suggest that we probably have enough comments above for the rights to be switched now. Pedro :  Chat  17:48, 15 November 2017 (UTC)[reply]
• Concern as a matter of procedure. I would prefer that AuburnPilot recovers their original account through Phabricator. The Wikimedia Foundation has technical staff with a lot more tools at their disposal than what CheckUsers have to determine if the original owner is in control of the account. Why not leave this to the experts? Now, I am sure that AuburnPilot and AuburnPiIot are the same person. I just don't think that a vote of random community members is how this sort of case should be handled. -- Ajraddatz (talk) 20:58, 15 November 2017 (UTC)[reply]
• Thanks to everyone who has taken the time to comment! I haven't been too active recently but it's good to be back around the site. Reading all the comments above, I see some concerns regarding admin access being moved from one account to another. My preference is simply for whatever is easier for those required to do the work cleaning up my mistake in not maintaining the authentication access for the account. From my chair, it seems easier to move the access but I'm not familiar with Phabricator and haven't the slightest clue if the devs would be willing to remove 2FA. Regardless, I'm open to whatever option requires the least inconvenience on others! Best, --auburnpilot's sock 21:20, 15 November 2017 (UTC)[reply]

  I think it's just me concerned with moving the access. Moving access is certainly the easier option, and there is clear consensus here for that to happen. But I still feel that account security issues should be handled by the people who are paid to handle account security issues, rather than decided by a vote of 15 people with limited access to the information required to make an informed comment on the situation. -- Ajraddatz (talk) 21:49, 15 November 2017 (UTC)[reply]

• @AuburnPilot: would you please open a phab ticket to request a 2FA disabled, reference this conversation. Should it be delayed or refused, access moving is still on the table. — xaosflux ^Talk 23:54, 15 November 2017 (UTC)[reply]
  • Done (phab:T180654). --auburnpilot talk 00:44, 16 November 2017 (UTC)[reply]
  • @Xaosflux: 2FA disabled. --auburnpilot talk 01:04, 16 November 2017 (UTC)[reply]
•  Done @AuburnPilot: as there has been plenty of time and you have successfully recovered your account I've restored your prior +sysop bit, the move is no longer needed. @Ajraddatz: and @Cyp: your process points are important, but I think they are bigger than enwiki. Other then phab:T85706 a meta: discussion may be the place to drive this forward, as it is a global issue. — xaosflux ^Talk 03:06, 16 November 2017 (UTC)[reply]

FYI

I dropped the sysop bit for a while and this automatically removed 2FA (which is not enabled for ordinary users). So all that's actually needed if this happens again I think is to desysop, gain access to the account and request resysop, then set up a new 2FA. That's what happened for me, anyway. The original 2FA token was no longer usable. Guy (Help!) 13:00, 17 November 2017 (UTC)[reply]

@JzG: removing a group from a single project should not deactivate your global 2FA setting. Are you sure this is what happened? When was it? I can go test on test2 later to see if it is a bug. — xaosflux ^Talk 13:44, 17 November 2017 (UTC)[reply]

Pretty confident, yes - but I have no advanced rights anywhere else. Guy (Help!) 15:53, 17 November 2017 (UTC)[reply]

Just FYI - I just went through the entire process with my alt account User:Xaosflux_ep via test2wiki: Made it an admin; had it enroll in 2FA; removed admin access :: 2FA did not get removed based on this change. The account was still able to unenroll using the normal process. 2FA is 'enabled' for all users, but 2FA 'enrollment' is not available for all users. @JzG: the symptom you reported is unexpected. — xaosflux ^Talk 16:10, 17 November 2017 (UTC)[reply]

Guess I'm special :-) Guy (Help!) 17:37, 17 November 2017 (UTC)[reply]

I'm sad to have to ask this but I'm not realistically going to have enough free time in at least the next couple years to be really active here and I don't want to potentially create a problem for the site. I just saw the bot's notification that I haven't been active in a year and I think that's as good a sign as any that I should give them up. I realize I can probably do so myself, but honestly I can't remember how. . :-) I've already updated my user page accordingly. Thanks for your help! Thingg^⊕⊗ 13:01, 17 November 2017 (UTC)[reply]

I object =( –xeno^talk 13:04, 17 November 2017 (UTC)[reply]

 Done Thank you for your service. If you come back before too long you can stop by here to reactivate. — xaosflux ^Talk 13:39, 17 November 2017 (UTC)[reply]