Help:Two-factor authentication
Wikimedia ein implementation of two-factor authentication (2FA) be way make e strengthen de security of your account. If you enable two-factor authentication, dem go biz you for one-time six-digit authentication code every tym in addition to your password. App dey provide dis code for your smartphone top anaa oda authentication device. In order make e log insyd, you for know your password den get your authentication device available make e generate de code.
Accounts e affect
Two-factor authentication for Wikimedia top currently experimental den optional (plus sam exceptions). Enrollment dey require (oathauth-enable) access, currently insyd production testing plus administrators (den users plus admin-like permissions lyk interface editors), bureaucrats, checkusers, oversighters, stewards, edit filter managers den de OATH-testers global group.
All Wikitech LDAP accounts (dem sanso know as developer account) sanso be eligible. Dese accounts no dey part of Single Unified Login.
Mandatory use user groups
Dey enable two-factor authentication
- Get
(oathauth-enable)access (by default, available to administrators, bureaucrats, suppressors, check users den oda privileged user groups) - Get anaa install Time-based One-time Password Algorithm (TOTP) client. For chaw users, dis go be phone anaa tablet application. Commonly recommended apps dey include:
- Open-source: FreeOTP (Android, iOS), andOTP (Android), Authenticator (iOS), Authenticator.cc (Chrome, Firefox & Edge), Passman (NextCloud), KeePassXC (Linux, macOS, Windows)
- Closed-source: Authy (Android, iOS, macOS, Windows), Google Authenticator (Android iOS)
- General comparison of chaw common OTP applications wey dem fi use as TOTP client give 2FA (English Wikipedia)
- You sanso fi use desktop client such as de OATH Toolkit (Linux, macOS via Homebrew), anaa WinAuth (Windows). Make you keep in mind say if you log insyd from de computer dem use take generate TOTP codes, dis approach no dey protect your account if attacker gain access go your computer.
- Password managers such as 1Password, Bitwarden, den KeePass sanso tend make e support/get plugins make e support TOTP. Dis dey bear de same limitations as de above, buh fi be worth looking into if you already dey use one for oda things.
Overview of preferences section make e enable two-factor authentication
- Go Special:OATH for de project top wey you dey zuk one of de above rights (dis link sanso be available from your preferences). (For chaw users, dis no fi dey hie for de meta-wiki top.)
- Special:OATH dey present you plus QR code wey dey contain de Two-factor account name den Two-factor secret key. Dem dey hia dis make dem pair your client plus de server.
- Make you scan de QR code plus, anaa make you enter de two-factor account name den key into, your TOTP client.
- Make you enter de authentication code from your TOTP client into de OATH screen make e plete de enrollment.
 | WARNING: Dem sanso go present you plus series of 10 one-time scratch codes. You for print am den safely store copy of dis page. If you lose anaa get problem plus your TOTP client, dem go lock you out of your account unless you get access to dese codes. |
Dey log insyd
- Make you provide your username den password, den submit as before.
- Make you enter insyd one-time six digit authentication code as dem provide by de TOTP client. Note: Dis code dey change about every thirty seconds.
Make you keep me log insyd
If you choose dis option wen you dey log insyd, you normally no go hia make you enter authentication code wen you dey use de same browser. Actions such as you dey log out anaa you dey clear browser cookies go require code for your next login top.
Sam security sensitive actions, such as you dey change your email address anaa password, fi require you make you re-authenticate plus code even if na you choose de keep-me-logged-in option.
API access
Dem o dey utilize two-factor authentication wen you dey use OAuth anaa bot passwords make you log insyd via de API.
You fi use OAuth anaa bot passwords make e restrict API sessions to specific actions, while still you dey use two-factor authentication make e protect your full access. Please note, dem no fi use OAuth den bot passwords make dem take log on interactively to de website, to de API per.
For example, tools like AutoWikiBrowser (AWB) do not yet support two-factor authentication, but can use bot passwords. You may find further information on how to configure this.
Dey disable two-factor authentication
| If you already have 2FA enabled, removing the permission that allows you to enroll in 2FA WILL NOT disable 2FA. You need to follow the process below to disable it. |
- Go to Special:OATH or preferences. If you are no longer in groups that are permitted to enroll, you can still disable via Special:OATH.
- On the disable two-factor authentication page, use your authentication device to generate a code to complete the process.
Recovery codes
When enrolling in two-factor authentication, you will be provided with a list of ten one-time recovery codes. Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device. It is important to note that each of these codes is single use; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.
Disabling two-factor authentication without an authentication device
This may require two recovery codes: one to log in, and another to disable. Should you ever need to use any of your recovery codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.
Recovering from a lost or broken authentication device
If you have an existing 2FA device which has simply stopped generating the correct codes, check that its clock is reasonably accurate. Time-based OTP on our wikis has been known to fail with 2 minutes difference.
You will need access to the recovery codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to two recovery codes to accomplish this:
- You need to be logged in. If you are not already logged in, this will require use of a recovery code.
- Visit Special:OATH and use a different recovery code to disable two-factor authentication.
If you don't have enough recovery codes, you may contact Trust and Safety at ca
wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on Phabricator if you still have access to it. Please note, 2FA removal by staff is not always granted.
See wikitech:Password and 2FA reset#For users for instructions on requesting 2FA removal for your Developer account.
Web Authentication Method
Please note, most of the directions on this page are specific to the TOTP method. The WebAuthn method is more experimental and currently has no recovery options (cf. related developer task).
WebAuthn has a known issue that you must make future logons on the same project that you initiate it from (tracking task).
See also
- The concept of multi-factor authentication in the English Wikipedia and a Wikidata item about it
- Known bugs and requested improvements of Wikimedia's two-factor authentication are collaborated on and tracked in Phabricator
- OATHAuth is the MediaWiki extension used for this functionality
- Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis
- Help:Two-factor authentication in the MediaWiki.org