Mandatory two-factor authentication for users with some extended rights

From June 3, 2025, oversighters and checkusers need to have their accounts secured with two-factor authentication (2FA) to be able to use their advanced rights. In the future, this requirement will be extended to other users with advanced rights. See below for questions the Wikimedia Foundation is asking the community members to help with these decisions.

In April 2025, as the Wikimedia Foundation in collaboration with the community functionaries, we investigated a bulk compromise of ~36,000 user accounts. One of the steps we took as part of that work was to begin technically enforcing mandatory two-factor authentication for wiki interface administrators.

We plan to continue making significant changes to increase the security of our user accounts, especially those with privileged access. Fortunately, we haven't seen any evidence of significant malicious editing or issues with content integrity from the March 2025 incident. However, a critical part of responding appropriately to any security incident is to make systemic improvements that can reduce the likelihood and impact of that kind of incident in the future.

As part of this work, we expanded the technical enforcement of two-factor authentication (2FA) to oversighters and checkusers, given the privileged access they have to non-public information about editors.

Affected users should visit the Special:Manage Two-factor authentication page at the wiki they hold one of the above rights on (For most users, this will not be here on the meta-wiki), and configure an app that supports time-based codes (see many options listed here).

This change was made on June 3, 2025, and impacted users were contacted directly ahead of the change.

We believe we likely need to expand this further, including to other roles with privileged technical capabilities like bureaucrats. However, we note that expanding 2FA widely may come with further difficulties as there are limited 2FA options available to users of Wikimedia projects. We intend to expand the accessibility and security of our 2FA capabilities, such as allowing users to set up multiple authenticators, and to more fully support modern phishing-resistant methods like security keys and passkeys, in order to ease the transition to 2FA for accounts with privileged access to non-public information.

This notice was posted to provide some advance warning before the change was made, and as an opportunity to collect comments from the community members. We welcome input on how we can best implement 2FA enforcement actions like this, now and in the future, and what technical improvements to 2FA and related features we should pursue, to make this a smoother experience for everyone.

Please post your comments on the talk page, or if you have private feedback you can email security-helpwikimedia.org. We're especially interested in:

• What issues have you had, or seen others have, with two-factor authentication on Wikimedia projects? Please call out any software bugs, safety concerns, lack of documentation, difficulty with device compatibility, or anything else.
• Are there technical security requirements other than 2FA that we should be considering as potential requirements for maintaining privileged access on the wikis?
• What other user groups or privileges should we be focused on as we look at strengthening our security policies?
• What do we most need to be careful about as we go about this work?
• Any other comments or questions you have.

• Who is running this consultation?
  • The Wikimedia Foundation Product Safety and Integrity team supported by Movement Communications.
• How will you enforce these requirements?
  • After a grace period, they will be enforced by the software. As mentioned above, this is already in place for interface administrators. Users who don't use two-factor authentication will not have access to their checkuser/oversighter permissions until they enable 2FA.
• What happens if I lose my 2FA device?
  • See the instructions at Help:Two-factor authentication.

• Help:Two-factor authentication