도움말:2요소 인증

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
This page is a translated version of the page Help:Two-factor authentication and the translation is 25% complete.
Other languages:
Bahasa Indonesia • ‎Deutsch • ‎English • ‎Esperanto • ‎Nederlands • ‎Tiếng Việt • ‎Türkçe • ‎asturianu • ‎azərbaycanca • ‎dansk • ‎español • ‎français • ‎galego • ‎italiano • ‎norsk bokmål • ‎polski • ‎português • ‎português do Brasil • ‎română • ‎svenska • ‎čeština • ‎беларуская (тарашкевіца) • ‎русский • ‎سنڌي • ‎فارسی • ‎کوردی • ‎नेपाली • ‎हिन्दी • ‎বাংলা • ‎മലയാളം • ‎ไทย • ‎ქართული • ‎中文 • ‎日本語 • ‎한국어
도움말 문서 2요소 인증 도움말
단축:
H:2FA
이 페이지는 위키미디어 재단 위키의 이중 인증에 대해 설명합니다. 이 기능을 추가하는 확장에 대한 문서는 mw:Extension:OATHAuth을 참조하세요.

위키미디어의 2단계 인증(2FA) 구현은 계정 보안을 강화하는 방법입니다. 2 단계 인증을 활성화하면 비밀번호와 함께 매번 6자리 인증 코드를 입력해야합니다. 이 코드는 스마트톤 또는 기타 인증 장치의 앱에서 제공합니다. 로그인하려면 비밀번호를 알고 있어야하며 코드를 생성하는 데 사용할 수있는 인증 장치가 있어야합니다.

영향을 받는 계정

위키미디어의 이중 인증은 현재 실험적이며 선택 사항입니다(일부 예외 있음). 등록하려면 (oathauth-enable) 권한이 필요하며, 현재 관리자(인터페이스 편집자와 같은 관리자 권한이 있는 사용자)와 사무관, 검사관, 기록보호자, 사무장, 편집 필터 관리자OATH-테스터 글로벌 그룹과 프로덕션 테스트 중입니다.

위키테크(Wikitech) LDAP 계정도 사용할 수 있습니다.

필수 사용 사용자 그룹

Enabling two-factor authentication

  • Have (oathauth-enable) access
    • You can also use a desktop client such as the OATH Toolkit (Linux, macOS via Homebrew), or WinAuth (Windows). Keep in mind that if you log in from the computer used to generate TOTP codes, this approach does not protect your account if an attacker gains access to your computer.
    • Password managers such as 1Password, LastPass, and KeePass also tend to support/have plugins to support TOTP. This bears the same limitations as the above, but may be worth looking into if you already use one for other things.
Overview of preferences section to enable two-factor authentication.
  • Go to Special:OATH on the project you hold one of the above rights on (this link is also available from your preferences). (For most users, this will not be here on the meta-wiki.)
  • Special:OATH presents you with a QR code containing the Two-factor account name and Two-factor secret key. This is needed to pair your client with the server.
  • Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
  • Enter the authentication code from your TOTP client into the OATH screen to complete the enrollment.
Warning {{{1}}}

Logging in

로그인 화면
  • Provide your username and password, and submit as before.
  • Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds.

로그인 상태로 유지

If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing the browser cache will require a code on your next login.

Some security sensitive actions, such as changing your email address or password, may require you to re-authenticate with a code even if you chose the keep-me-logged-in option.

API access

Two-factor authentication is not utilized when using OAuth or bot passwords to log in via the API.

You may use OAuth or bot passwords to restrict API sessions to specific actions, while still using two-factor authentication to protect your full access. Please note, OAuth and bot passwords can not be used to log on interactively to the website, only to the API.

For example, tools like AutoWikiBrowser (AWB) do not yet support two-factor authentication, but can use bot passwords. For further information on how to configure this see Wikipedia:Using AWB with 2FA

Disabling two-factor authentication

Unenrolling
Warning {{{1}}}
  • On the disable two-factor authentication page, use your authentication device to generate a code to complete the process.

스크래치 코드

OATH example scratch codes

When enrolling in two-factor authentication, you will be provided with a list of ten one-time scratch codes. Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device. It is important to note that each of these codes is single use; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.

Disabling two-factor authentication without an authentication device

This may require two scratch codes: one to log in, and another to disable. Should you ever need to use any of your scratch codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.

Recovering from a lost or broken authentication device

If you have an existing 2FA device which has simply stopped generating the correct codes, check that its clock is reasonably accurate. Time-based OTP on our wikis has been known to fail with 2 minutes difference.

You will need access to the scratch codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to two scratch codes to accomplish this:

  • You need to be logged in. If you are not already logged in, this will require use of a scratch code.
  • Visit Special:OATH and use a different scratch code to disable two-factor authentication.

If you don't have enough scratch codes, you may contact Trust and Safety at ca(_AT_)wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on Phabricator if you still have access to it. Please note, 2FA removal by staff is not always granted.

See wikitech:Password and 2FA reset#For users for instructions on requesting 2FA removal for your Developer account.

Web Authentication Method

Please note, most of the directions on this page are specific to the TOTP method. The WebAuthn method is more experimental and currently has no recovery options (c.f. phab:T244348).

같이 보기