|←Help pages||Two-factor authentication help|
|mw:Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis.This page explains two-factor authentication on Wikimedia Foundation wikis. For documentation of the extension that adds this functionality, see|
Wikimedia's implementation of two-factor authentication (2FA) is a way to strengthen the security of your account. If you enable two-factor authentication, you will be asked for a one-time six-digit authentication code (token) every time in addition to your password. This token is provided by an app on your smartphone or other authentication device. In order to log in, you must know your password and have your authentication device available to generate the code.
Two-factor authentication on Wikimedia is currently experimental and optional. Enrollment requires
(oathauth-enable) access, currently in production testing with administrators (and users with admin-like permissions like interface editors), bureaucrats, checkusers, oversighters, stewards, edit filter managers and the OATH-testers global group.
To set up two-factor authentication:
- First you must have or install a Time-based One-time Password Algorithm (TOTP) client. For most users, this will be a phone or tablet application. Google Authenticator is a popular example Android iOS, but there are others.
- Next go to Special:OATH on the project you hold one of the above rights on (this link is also available from your preferences). (For most users, this will not be here on the meta-wiki.)
- Special:OATH presents you with a QR code containing the Two-factor account name and Two-factor secret key. This is needed to pair your client with the server.
- Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
- Enter a verification code from your TOTP client into the OATH screen to complete the enrollment.
- Note: You will also be presented with a series of one-time scratch codes. Safely store a copy of these codes, should you lose or have a problem with your TOTP client you will be locked out of your account unless you have access to these codes.
Provide your username and password and submit as before. After submitting your credentials, you will be asked to type a one-time six digit authentication code as provided by the TOTP client. (Enter the code into the 'token' field onscreen.) This code changes about every thirty seconds.
Keep me logged in
If you choose the keep-me-logged-in option when logging in, you will not normally need to use your two-factor authentication device when using the same browser. Actions such as logging out or clearing your cache will require the two-factor code on your next log in.
Some security sensitive actions, such as changing your email address or password, may require you to re-authenticate with your two-factor code even if you chose the keep-me-logged-in option.
You may use OAuth or bot passwords to restrict API sessions to specific actions, while still using two-factor authentication to protect your full access. Please note, OAuth and bot passwords can not be used to log on interactively to the website, only to the API.
For example, tools like AutoWikiBrowser (AWB) do not yet support two-factor authentication, but can use bot passwords.
To disable two-factor authentication on your account, go to Special:OATH or preferences on the project you enabled 2FA on. If you are no longer in groups that are permitted to enroll, you may still un-enroll via Special:OATH.
On the disable two-factor authentication page, use your authentication device to generate a code to complete unenrollment.
When enrolling in two-factor authentication, you will be provided with a list of five one-time scratch codes. It is important to note that each of these codes is single use, it may only ever be used once and then expires. After using one, you can scratch it through with a pen or use in another way to mark the code that you used. To generate a new set of codes, you will need to un-enroll and re-enroll in two-factor authentication.
Important: Un-enrolling without an authentication device may require two scratch codes: one to sign on, and another to un-enroll. Should you ever need to use any of your scratch codes, it is advisable to un-enroll and re-enroll to regenerate a fresh set of codes as soon as possible.
Recovering from a lost or broken authentication device
You will need access to the scratch codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to two scratch codes to accomplish this:
- First, you need to be logged in. If you are not already logged in, this will use a scratch code.
- Second, visit Special:OATH and use a different scratch code to complete the un-enrollment.
- English Wikipedia article and Wikidata item about the concept of multi-factor authentication
- List of 3rd party client implementations
- Known bugs and requested improvements of Wikimedia's two-factor authentication are tracked in Phabricator.
- OATHAuth is the MediaWiki extension used for this functionality
- mw:Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis
- mw:Help:Two-factor authentication