Help talk:Two-factor authentication/Archives/2025

Please do not post any new comments on this page. This is a discussion archive first created in 2025, although the comments contained were likely posted before and after this date. See current discussion or the archives index.

Two-factor authentication must not be mandatory

Latest comment: 1 year ago4 comments4 people in discussion

Two-factor authentication is still a beta feature that should not be mandatory for any user category. Please solve problems before requiring it mandatory. When activated entering password is mandatory each time I go to any page, login procedure need to be repeated after idle time of 5 minutes (not configurable). There is more login actions than edit actions.

-- ◄ David L • talk ► 17:13, 30 March 2025 (UTC)

If you are having to log in every 5 mins or when you change pages, that should have nothing to do with 2FA. Ensure you are allowing cookies, and not blocking SUL3 via auth.wikimedia.org. — xaosflux ^Talk 17:44, 30 March 2025 (UTC)

Hi @DavidL: Are you still experiencing this problem, or is it fixed for you?

If it is not fixed yet, please confirm if you have tried the process of: (1) logging out, (2) then clearing your browser cookies (at least for the *.wikimedia.org and *.wikibooks.org domains), (3) and then logging back in. Thanks. Quiddity (WMF) (talk) 17:26, 31 March 2025 (UTC)

@DavidL 2FA has been mandatory for interface admins since 2018 [1] for security purposes. It's concerning if you didn't follow the policy until now (or are there suddenly issues which didn't occur before?). Johannnes89 (talk) 17:58, 31 March 2025 (UTC)

2FA increases the risk of losing account

Latest comment: 1 year ago2 comments2 people in discussion

Without 2FA, a strong and unique password is all I need to focus on to keep my account secure. The account security (on user's end) relies only on the existence of my life and memory, not any personal device or password paper. If my computer were stolen, just switch to another computer and change the password, and everything would be fine.

2FA increases the risk of users losing control of their accounts. To prevent that, I have to either remember the TOTP secret, or back up the scratch codes to multiple locations and keep them secret from others in the meanwhile. Both are challenging.

I hope the Foundation can reconsider the recent enforcement of 2FA for interface administrators. 2FA may make accounts more secure for ordinary users, but not for security nitpickers like me, who are more likely to apply for interface administrators. Lt2818 (talk) 12:54, 1 April 2025 (UTC)

Additional 2FA factors are being explored. I expect that with more 2FA support enforcement and requirements may increase, not decrease. — xaosflux ^Talk 13:24, 1 April 2025 (UTC)

WebAuthn issue has been resolved

Latest comment: 1 year ago1 comment1 person in discussion

The help page mentiones

WebAuthn has a known issue that you must make future logons on the same project that you initiate it from (tracking task).

This issue has been recently resolved, see this comment. Please adjust the help page. It may be worth mentioning that users that already have configured Webauthn have to migrate as mentioned in the comment. ThE cRaCkEr (talk) 23:19, 18 April 2025 (UTC)

Semi-protected edit request on 15 August 2025

Latest comment: 8 months ago2 comments2 people in discussion

This edit request to Help:Two-factor authentication has been answered. Set the |answered= or |ans= parameter to no to reactivate your request.

I want to add Proton Pass to the "Open source apps" section Invertedd (talk) 15:40, 15 August 2025 (UTC)

Not done. That seems to be a password manager app, and you'd need to get an account first before using it. -Barras talk 05:14, 17 August 2025 (UTC)

Imposed two-factor authentication

Latest comment: 7 months ago4 comments2 people in discussion

I just found out I have this and no option to disable it inside preferences (I did look). I don't want two-factor authentication, why do I have it and how I disable it? Lmalena (talk) 14:51, 25 September 2025 (UTC)

@Lmalena I suspect you are confusing two different, but similar systems. The two-factor authentication requires manual enrollment, and makes use of an authenticator device (typically a smartphone application). It requires you to enter a constantly changing number every time you have to enter your password. You should not be getting prompted for this. A different system is email-logon authentication. This is managed by WMF and may prompt you to verify your logon via an email code. This should not happen every time you log on unless: you change devices, you disallow cookies/localstorage, you change networks. — xaosflux ^Talk 14:58, 25 September 2025 (UTC)

I added a brief note about that, and a link to the information on EmailAuth to the help page. — xaosflux ^Talk 15:02, 25 September 2025 (UTC)

Thanks you Lmalena (talk) 15:35, 26 September 2025 (UTC)

Updates 2025-Nov

Latest comment: 5 months ago3 comments3 people in discussion

The shot File:TOTP login.png used in the article seems no longer accurate. I am getting links to BigTech now, see shot at the right side. Taylor 49 (talk) 20:53, 28 November 2025 (UTC)

@Taylor 49 Hmmm. Thats the message for registration… maybe a message got mixed up somewhere.. —TheDJ (talk • contribs) 19:02, 2 December 2025 (UTC)

I will remove outdated images on this page in the next few weeks when I publish a rewrite that better documents the improved and expanded 2FA system. See phab:T399657. TBurmeister (WMF) (talk) 16:59, 3 December 2025 (UTC)