Hjelp:Tofaktorautentisering

From Meta, a Wikimedia project coordination wiki
This page is a translated version of the page Help:Two-factor authentication and the translation is 45% complete.
Outdated translations are marked like this.
Snarvei:
H:2FA
Denne siden forklarer tofaktorautentisering på Wikimedia Foundations wikier. For dokumentasjon for utvidelsen som legger til denne funksjonaliteten, se mw:Special:MyLanguage/Extension:OATHAuth.

Wikimedias implementasjon av tofaktorautentisering (engelsk: two-factor authentication, 2FA) er en måte å styrke sikkerheten til kontoen din på. Om du slår på tofaktorautentisering blir du spurt om en sekssifret engangskode hver gang du logger inn, i tillegg til passordet ditt. Denne koden kommer fra en app på smarttelefonen din eller en annen enhet. For å kunne logge inn må du vite passordet og ha enheten som autentiserer tilgjengelig for å generere koden.

Påvirkede kontoer

Tofaktorautentisering hos Wikimedia er for øyeblikket eksperimentelt og valgfritt (med noen unntak). For å få tilgang må man ha rettigheten $oauth-enable, som for tiden testes ut for administratorer (og brukere med administrator-lignende rettigheter, som grensesnittadministratorer), byråkrater, IP-kontrollører, sensorer, forvaltere, redigeringsfilterredaktører og den globale gruppa OATH-testers.

Alle LDAP-kontoer på Wikitech (kontoer for utviklere) kan også få tofaktorautentisering. Disse kotnoene er ikke en del av det globale kontosystemet.

Brukergrupper som kreves å bruke 2FA

Slå på tofaktorautentisering

  • Du må ha (oathauth-enable)-rettigheten på kontoen din (som standard tilgjengelig for administratorer, byråkrater, sensorer, IP-kontrollører og andre priveligierte brukergrupper)
  • Ha eller installer en tidsbasert engangspassordklient (TOTP-klient). For folk flest vil dette være en app på en smarttelefon eller et nettbrett. Noen vanlige alternativer inkluderer:
    • Apper og programmer basert på åpen kildekode: FreeOTP (Android, iOS), andOTP (Android), Authenticator (iOS), Authenticator.cc (Chrome, Firefox & Edge), Passman (NextCloud), KeePassXC (Linux, macOS, Windows)
    • Apper og programmer basert på lukket kildekode: Authy (Android, iOS, macOS, Windows), Google Authenticator (Android iOS)
    • Liste over diverse OTP-programmer og apper på engelsk Wikipedia
    • Du kan også bruke en skrivebordsklient, som for eksempel OATH Toolkit (Linux, macOS via Homebrew) eller WinAuth (Windows). Merk at hvis du bruker dette programmet på PC-en du også vanligvis logger deg inn på Wikipedia med, så beskytter ikke denne fremgangsmåten deg i tilfellet hvor en angriper får tilgang til datamaskinen din.
    • Passordmanagarere som 1Password, Bitwarden, og KeePass pleier også ha støtte for TOTP, enten direkte eller gjennom en plugin. De samme begrensningene gjelder ved bruk av disse som nevnt tidligere, men de kan være verdt å vurdere hvis du allerede bruker et av disse programmene til andre ting.
      Overview of preferences section to enable two-factor authentication
  • Go to Special:OATH on the project you hold one of the above rights on (this link is also available from your preferences). (For most users, this will not be here on the meta-wiki.)
  • Special:OATH presents you with a QR code containing the Two-factor account name and Two-factor secret key. This is needed to pair your client with the server.
  • Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
  • Enter the authentication code from your TOTP client into the OATH screen to complete the enrollment.

Innlogging

Innloggingsskjermen
  • Provide your username and password, and submit as before.
  • Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds.

Hold meg innlogget

If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing browser cookies will require a code on your next login.

Some security sensitive actions, such as changing your email address or password, may require you to re-authenticate with a code even if you chose the keep-me-logged-in option.

API-tilgang

Two-factor authentication is not utilized when using OAuth or bot passwords to log in via the API.

You may use OAuth or bot passwords to restrict API sessions to specific actions, while still using two-factor authentication to protect your full access. Please note, OAuth and bot passwords can not be used to log on interactively to the website, only to the API.

For example, tools like AutoWikiBrowser (AWB) do not yet support two-factor authentication, but can use bot passwords. You may find further information on how to configure this.

Slå av totrinns pålogging

Unenrolling
  • Go to Special:OATH or preferences. If you are no longer in groups that are permitted to enroll, you can still disable via Special:OATH.
  • On the disable two-factor authentication page, use your authentication device to generate a code to complete the process.

Engangskoder

Eksempler på OATH-engangskoder

When enrolling in two-factor authentication, you will be provided with a list of ten one-time recovery codes. Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device. It is important to note that each of these codes is single use; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.

Slå av totrinns pålogging uten en autentiseringsenhet

Dette kan kreve to engangskoder: én for å logge inn, og en annen for å slå av. Om du noen gang trenger å bruke engangskodene anbefales det å slå av og slå på igjen totrinns pålogging for å få et nytt sett engangskoder.

Recovering from a lost or broken authentication device

If you have an existing 2FA device which has simply stopped generating the correct codes, check that its clock is reasonably accurate. Time-based OTP on our wikis has been known to fail with 2 minutes difference.

You will need access to the recovery codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to two recovery codes to accomplish this:

  • You need to be logged in. If you are not already logged in, this will require use of a recovery code.
  • Visit Special:OATH and use a different recovery code to disable two-factor authentication.

If you don't have enough recovery codes, you may contact Trust and Safety at ca(_AT_)wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on Phabricator if you still have access to it. Please note, 2FA removal by staff is not always granted.

See wikitech:Password and 2FA reset#For users for instructions on requesting 2FA removal for your Developer account.

Web Authentication Method

Please note, most of the directions on this page are specific to the TOTP method. The WebAuthn method is more experimental and currently has no recovery options (cf. related developer task).

WebAuthn has a known issue that you must make future logons on the same project that you initiate it from (tracking task).

Se også