WP:Bureaucrats' noticeboard#Questions for the 'crats

Hello team. Now that phab:T265726 has been delivered, you will be able to use Special:VerifyOATHForUser. A couple of notes:

1. Using this tool requires elevated security, meaning you will likely be requested to log back on to use it (don't try it if you aren't somewhere you can log on, or you may be logged out).
2. Use of this tool is logged
3. Another user's 2FA enrollment status is considered sensitive, and should not be publicly shared

When would you ever use this? The primary use case would be if someone applies for interface-admin, you can use this tool to verify they meet the global requirement of being activated for 2FA prior to issuing access. If they do not, you can privately refer them to the enrollment process (WP:2FA locally).

Best regards, — xaosflux ^Talk 16:54, 2 July 2025 (UTC)

:I see that use of this tool is limited to bureaucrats. Are 'crats signatories to the ANPDP? Ivanvector (^Talk/_Edits) 16:59, 2 July 2025 (UTC)

::Not necessarily, however WMF Privacy and Legal determined that this was appropriate. 2FA status isn't quite considered "private", as it does not contain any identifying information. It is sensitive, in that it is security related. — xaosflux ^Talk 17:01, 2 July 2025 (UTC)

:::I should note that it's covered at wmf:Policy:Wikimedia Foundation Access to Nonpublic Personal Data Policy/Exceptions. {{tq|Bureaucrats are permitted to access account two-factor authentication (2FA) status to verify whether other users have enabled 2FA prior to being added to groups that require 2FA. Bureaucrats are not covered under the Access to nonpublic personal data policy, but are nonetheless expected to use and disclose account 2FA status only when necessary.}} EggRoll97 ^(talk) 17:16, 3 July 2025 (UTC)

::::Yup, that and other ANPDP tweaks were with the lawyers for a very long time. — xaosflux ^Talk 11:05, 6 July 2025 (UTC)

::And as far why bureaucrats, the primary use case is in checking before issuing sensitive groups, a task available to that group. (Stewards already use this for global requests). — xaosflux ^Talk 17:05, 2 July 2025 (UTC)

:::Should we add a link to {{t|rfplinks}} so that it shows up on this page when used? Primefac (talk) 22:29, 4 July 2025 (UTC)

::::Seems fine if someone wants to. Users without access to it will just get a permission died issue, in some cases 'crats may get logged out if they click it and then don't complete the log on. — xaosflux ^Talk 11:05, 6 July 2025 (UTC)

:Does the information they can see with this tool contain anything beyond a boolean yes/no flag for whether the user is 2FA-enabled? (E.g. does it show them the phone number used for 2FA or some such thing?) If it's just a boolean answer (and they can't see any personal information), then okay, the policy makes sense. (You don't want, say, a list of admins who are not 2FA to be disclosed because that presents bad actors with a list of accounts to attempt to compromise.) But if they can see anything more than a boolean, then there needs to be at least as much vetting as someone who has access to OTRS. --B (talk) 01:59, 9 July 2025 (UTC)

::No, it is boolean. It only outputs either the contents of: MediaWiki:Oathauth-verify-disabled or MediaWiki:Oathauth-verify-enabled. Note: we don't have SMS 2FA, so we can't collect phone numbers for that regardless. — xaosflux ^Talk 09:21, 11 July 2025 (UTC)

Per the outcome of Wikipedia:Administrator recall/Bbb23, which closed 30 days ago, I have removed the administrative rights of User:Bbb23. 28bytes (talk) 07:35, 6 July 2025 (UTC)

:That's sad but, given the recall process, I guess inevitable. Liz ^{Read! Talk!} 05:01, 11 July 2025 (UTC)

:{{rfplinks|Beeblebrox}}

With all the effort I have put in over the years regarding inactive admins, I have to admit to now having become one myself. Rather than wait for the inactivity desysop months or years from now I'd rather just have it removed now. Thanks. Beeblebrox ^Beebletalks 17:49, 11 July 2025 (UTC)

:Thank you for your service. – robertsky (talk) 17:56, 11 July 2025 (UTC)

:{{done}} thank you for you prior service, if you need any other flags let me know. — xaosflux ^Talk 18:05, 11 July 2025 (UTC)

:Thanks, Beebs. ScottishFinnishRadish (talk) 18:11, 11 July 2025 (UTC)

:Hope to see you back to pick up the tools again some day @Beeblebrox, thanks for everything you've done. Hey man im josh (talk) 18:21, 11 July 2025 (UTC)

:I'm sorry to see this. Thanks for your service, and I hope to see you return. Vanamonde93 (talk) 19:10, 11 July 2025 (UTC)

:[Bishzilla stuffs the little Beebs in her pocket. bishzilla _ROARR!! pocket 19:40, 11 July 2025 (UTC).'']

:Sorry to read this but happy for you man; youve been a brick of sense. Ceoil (talk) 22:16, 11 July 2025 (UTC)

{{rfplinks|David Gerard}}

I'm quitting my bit. Please remove admin powers from my User:David Gerard account. If I ever want it back, I'll do it via RFA. - David Gerard (talk) 18:10, 12 July 2025 (UTC)

:For future reference: Wikipedia:Administrator recall/David Gerard was initiated ~18 hours before this request. Thryduulf (talk) 18:19, 12 July 2025 (UTC)

::{{done}}. Primefac (talk) 19:05, 12 July 2025 (UTC)

:Thank you for your service. Gråbergs Gråa Sång (talk) 19:26, 12 July 2025 (UTC)

:{{ping|David Gerard}} Do you still require edit filter management tools? (You had previously worked on [https://en.wikipedia.org/wiki/Special:Log?type=abusefilter&user=David_Gerard&page=&wpdate=&tagfilter=&wpfilters%5B%5D=newusers&wpFormIdentifier=logeventslist filter 869]). — xaosflux ^Talk 16:19, 13 July 2025 (UTC)