Mandatory two-factor authentication for users with some extended rights
Compared to other internet platforms, an exceptionally high number of Wikimedia users are able to take security- or privacy-sensitive actions. While these are generally trusted and competent members of the community, anyone can be phished or have their passwords stolen. If an account with such rights is taken over, it could be misused to hurt other users.
This is why the Wikimedia Foundation is shifting to a more secure system by requiring two-factor authentication (2FA) to log into accounts with sensitive permissions.
We have built a range of new features to make this easier: most importantly, users can now set up as many two-factor methods as they want, including passkeys. Once a user registers a passkey, they can then log in without using a password at all. For some users, passkeys will make logging in a quicker experience than it was for them before enabling two-factor authentication!
What are sensitive permissions?
[edit]When determining what user groups to include, the Wikimedia Foundation Product Safety and Integrity team considered any that had the ability to:
- View private or confidential information (e.g., IP addresses, oversighted content)
- Edit JS/CSS for other users (or for everyone)
- Escalate permissions / promote users (add people to groups, including themselves)
- And groups that implied an official role.
Technical enforcement of 2FA and automatic removal of permissions
[edit]Users who hold sensitive permissions but don't have 2FA enabled will be contacted directly before the enforcement date with instructions on how to enable 2FA. They should visit the special page and configure an authenticator app or a security key. After that, we encourage them to also add a passkey, which greatly simplifies login and reauthentication (see the guide).
Enforcement begins with a 2-week-long grace period. During this time, it is impossible to grant sensitive permissions to users who do not have 2FA enabled. In addition, the software does not allow users with sensitive permissions to disable 2FA. If a user wishes to temporarily disable 2FA during this time, they need to request removal of the sensitive permissions first, or self-remove, if they are able. They should coordinate with Stewards on the process of disabling and enabling 2FA again.
After this period, users who don't have 2FA enabled will automatically have their sensitive permissions removed. These users may re-apply for permissions through ordinary community processes.
Permissions that require two-factor authentication
[edit]Local groups
[edit]| Local group | Explanation | Enforcement date |
|---|---|---|
| Central notice administrators | Edit JS/CSS for other users | March 2026 |
| CheckUsers | Access to private or confidential information | March 2026 |
| Interface administrators | Edit JS/CSS for other users | March 2026 |
| Oversighters | Access to private or confidential information | March 2026 |
| Wikidata staff | Official role | March 2026 |
| Wikifunctions staff | Official role | March 2026 |
| WMF IT Services | Official role | March 2026 |
| WMF Trust and Safety | Official role | March 2026 |
| Editors on foundationwiki | Official role | April 2026 |
| OAuth administrators | Access to private or confidential information | April 2026 |
| Stewards[1] | Access to private or confidential information | April 2026 |
| Translation administrators on foundationwiki | Official role | April 2026 |
| Arbitration committee members | Access to private or confidential information | May 2026 |
| Bureaucrats | Escalate permissions | May 2026/June 2026 |
Global groups
[edit]| Global group | Explanation | Enforcement date |
|---|---|---|
| Abuse filter helpers | Access to private or confidential information | June 2026 |
| Abuse filter maintainers | Access to private or confidential information | June 2026 |
| Founder | Official role | June 2026 |
| Global interface editors | Edit JS/CSS for other users | June 2026 |
| Global sysops | Edit JS/CSS for other users | June 2026 |
| New wikis importers | Access to private or confidential information | June 2026 |
| Ombuds | Access to private or confidential information | June 2026 |
| Staff | Official role | June 2026 |
| System administrators | Access to private or confidential information | June 2026 |
| U4C members | Access to private or confidential information | June 2026 |
| wmf-email-block-override | Official role | June 2026 |
| WMF researchers | Official role | June 2026 |
Background
[edit]In April 2025, as the Wikimedia Foundation in collaboration with the community functionaries, we investigated a bulk compromise of ~36,000 user accounts. A critical part of responding appropriately to any security incident is to make systemic improvements that can reduce the likelihood and impact of that kind of incident in the future.
One of the steps we took as part of that work was to begin technically enforcing mandatory two-factor authentication for wiki interface administrators. We also expanded the technical enforcement of 2FA to oversighters and checkusers, given the privileged access they have to non-public information about editors.
In March of 2026, the Wikimedia Foundation made two-factor authentication technically mandatory for users for whom it was already required by policy. However, there are many other sensitive permissions that do not have this security protection in place. To help keep our projects and users safe, we have decided to expand our technical enforcement of 2FA to all user groups that take these actions.
Contact us
[edit]This notice is posted to provide some advance warning before the change is made, and as an opportunity to collect comments from the community members. We welcome input on how we can best implement 2FA enforcement actions like this, now and in the future, and what technical improvements to 2FA and related features we should pursue, to make this a smoother experience for everyone.
Please post your comments on the talk page, or if you have private feedback you can email security-help
wikimedia.org. We're especially interested in:
- What issues have you had, or seen others have, with two-factor authentication on Wikimedia projects? Please call out any software bugs, safety concerns, lack of documentation, difficulty with device compatibility, or anything else.
- Are there technical security requirements other than 2FA that we should be considering as potential requirements for maintaining privileged access on the wikis?
- What other user groups or privileges should we be focused on as we look at strengthening our security policies?
- What do we most need to be careful about as we go about this work?
- Any other comments or questions you have.
FAQ
[edit]- Who is running this consultation?
- The Wikimedia Foundation Product Safety and Integrity team supported by Movement Communications.
- What happens if I lose my 2FA device?
- See the instructions at Help:Two-factor authentication.
References
[edit]- ↑ Technically, there are both global and local steward groups, and the latter are only available to the members of the former. 2FA will be enforced on the local level first. Because of this, there will be no practical consequences of the global enforcement (set to happen later), as all stewards will have 2FA enforced by then.