Personally I think its a reasonable risk relative to the benefits of comvincing more admins to enable 2fa. (However please hive a chance for other security team members to comment before doing it)

Dont release the status of which admins have it enabled.

@Bawolff will do, I can't personally run the query so I'll ask whoever does just to read through this (providing the comments from other members of the team are positive) and only return a percentage

Ugh. How would we even query this? Either it's a query across multiple dbservers to get to the centralauth db...

Or we do it on user preferences? Else writing a maintenance script

I think it's reasonable to do; it doesn't show any personally identifiable data

@Jalexander Any comments from your end about "releasing"/publicising this information if we get it? :)

In T157500#3009105, @Reedy wrote:

Ugh. How would we even query this? Either it's a query across multiple dbservers to get to the centralauth db...

Or we do it on user preferences? Else writing a maintenance script

I think it's reasonable to do; it doesn't show any personally identifiable data

@Jalexander Any comments from your end about "releasing"/publicising this information if we get it? :)

As long as there is no way to figure out 'who' doesn't have it I think its a reasonable risk. That would mostly mean percentage only and large wikis only (if others ask) because the smaller the wiki is the more of a problem that becomes.

This is a duplicate of T150589: Write a script to gather statistics on 2FA usage among functionaries (we should probably make that public now).

@Legoktm helpful! :-D either way, good to know it's been discussed/looked at elsewhere as well!

Thank you all for your comments. Am I right in summarising this discussion as ?

Yes I think so, presumably with some minimum number of admins on the wiki.

Personally I'm only interested in (and thus will only be requesting) the English Wikipedia

How about this plan. I can run a query for English Wikipedia and if it proves useful we can talk about looking at the other wikis and doing the analysis over time, as we see fit and the data indicates.

Sounds great :-)

Ok, results. 203 out of 1274 admins on english wikipedia have enabled two-factor auth. Let's make sure I did the numbers right. I assumed the following:

• if someone has two-factor authentication enabled, their gu_id from globaluser will be found in centralauth.oathauth_users
• I can join enwiki.user to centralauth.globaluser by user_name = gu_name and that join makes sense (it should, and seems to join fine)
• you're an admin on english wikipedia iff you're in the 'sysop' group

If that's true, then the following query will join all the right tables together and count who enabled two-factor. You can run just the inner query to spot check and make sure this makes sense, if you have rights to query the slaves. I did that and it seemed to make sense to me, like most WMF employees had it turned on.

 select count(*) as sysops,
 sum(has_two_factor) as enabled_two_factor
 from (select user_name,
 if(id is null, 0, 1) as has_two_factor
 from enwiki.user
 inner join
 enwiki.user_groups on ug_group = 'sysop'
 and ug_user = user_id
 inner join
 centralauth.globaluser on user_name = gu_name
 left join
 centralauth.oathauth_users on gu_id = id

 ) two_factor_status_of_all_sysops
;

+-------+--------------------+
| sysop | enabled_two_factor |
+-------+--------------------+
| 1274 | 203 |
+-------+--------------------+

It's been a couple of years since the query was ran in this task, might be nice to know what the latest figures are.

A few less sysops, a few more with 2FA (note: my query from above is now harder to run on the analytics replicas because the dbs are sharded):

+--------+--------------------+
| sysops | enabled_two_factor |
+--------+--------------------+
| 1180 | 275 |
+--------+--------------------+

There are results in this task. Can this task be resolved?

don't see why not