Board Thread:General Discussion/@comment--20150810171627/@comment-3388044-20150810195946

DaNASCAT wrote: … 2FA is totally something that would strengthen security. But it would also cause more log in issues and maybe detract some people from joining Wikia. The more steps you put in the registration process, the more likely it is for someone to feel it's not worth it (and joining Wikia is worth it!)

The specific feedback is that it is unnecessary to transclude the login form on every page. Great news! We agree with that. For a long time, Wikia has been working on our backend for a new log-in and user registration system called Helios. It's built outside of the traditional MediaWiki architecture, which allows us to avoid a lot of the traps MediaWiki architecture has put us in. We have been slowly rolling out parts of Helios after testing. Unfortunately, this vulnerability was exploited before we were able to provide a closure that would maintain similar functionality. That's truly regrettable, but only drives us more to improve this system as a whole. First, thank you TimQ for telling us about this and for keeping us up to date. That is very much appreciated by us all, I am sure.

Second, what’s 2FA? Is that like the two-step login at Facebook, Google, tumblr, and Twitter?

Lastly, I don’t understand the comment “allows us to avoid a lot of the traps MediaWiki architecture has put us in.” At Wikipedia, logoff is indeed on every page when logged in; similarly, login is on every page when logged out. However, clicking on login takes one to a separate https: page to perform the login and credential check. Once correctly completed, one is returned to the page one was on when login was selected. Most likely it’s all over my head, but it seems to contract the quoted statement at the start of this paragraph.

Thanks again for keeping us in the loop!