Mandatory two-factor authentication for users with some extended rights

Update: We have rolled back the restriction temporarily, and are extending the deadline to enable 2FA by two weeks, to June 3, 2025. An internal miscommunication meant we did not send the direct emails to affected users prior to May 20 as we intended. These notices will go out shortly.

From May 20, 2025 June 3, 2025, oversighters and checkusers will need to have their accounts secured with two-factor authentication (2FA) to be able to use their advanced rights. In the future, this requirement may be extended to other users with advanced rights. See below for questions the Wikimedia Foundation is asking the community members to help with these decisions.

A few weeks ago, as the Wikimedia Foundation in collaboration with the community functionaries, we investigated a bulk compromise of ~36,000 user accounts. One of the steps we took as part of that work was to begin technically enforcing mandatory two-factor authentication for wiki interface administrators.

We plan to continue making significant changes to increase the security of our user accounts, especially those with privileged access. Fortunately, we haven't seen any evidence of significant malicious editing or issues with content integrity from the March 2025 incident. However, a critical part of responding appropriately to any security incident is to make systemic improvements that can reduce the likelihood and impact of that kind of incident in the future.

As part of this work, we plan to expand the technical enforcement of two-factor authentication (2FA) to oversighters and checkusers, given the privileged access they have to non-public information about editors.

Affected users should visit the Special:Manage Two-factor authentication page at the wiki they hold one of the above rights on (For most users, this will not be here on the meta-wiki), and configure an app that supports time-based codes (see many options listed here).

We expect to make this change on Tuesday, May 20 June 3, 2025, and will contact impacted users directly ahead of the change.

We believe we likely need to expand this further, including to other roles with privileged technical capabilities like bureaucrats. However, we note that expanding 2FA widely may come with further difficulties as there are limited 2FA options available to users of Wikimedia projects. We intend to expand the accessibility and security of our 2FA capabilities, such as allowing users to set up multiple authenticators, and to more fully support modern phishing-resistant methods like security keys and passkeys, in order to ease the transition to 2FA for accounts with privileged access to non-public information.

We are posting this notice to provide some advance warning before the change is made, and as an opportunity to collect comments from the community members. We welcome input on how we can best implement 2FA enforcement actions like this, now and in the future, and what technical improvements to 2FA and related features we should pursue, to make this a smoother experience for everyone.

Please post your comments on the talk page, or if you have private feedback you can email security-helpwikimedia.org. We're especially interested in:

• What issues have you had, or seen others have, with two-factor authentication on Wikimedia projects? Please call out any software bugs, safety concerns, lack of documentation, difficulty with device compatibility, or anything else.
• Are there technical security requirements other than 2FA that we should be considering as potential requirements for maintaining privileged access on the wikis?
• What other user groups or privileges should we be focused on as we look at strengthening our security policies?
• What do we most need to be careful about as we go about this work?
• Any other comments or questions you have.

• Who is running this consultation?
  • The Wikimedia Foundation Security team supported by Movement Communications.
• How will you enforce these requirements?
  • After a grace period, they will be enforced by the software. As mentioned above, this is already in place for interface administrators. Users who don't use two-factor authentication will not have access to their checkuser/oversighter permissions until they enable 2FA.
• What happens if I lose my 2FA device?
  • When you enable 2FA, you will be presented with a series of 10 one-time recovery codes. You should safely store a copy of these codes.
  • Even with 2FA enabled, you can initiate the verification process to regain access to your account by contacting cawikimedia.org from the confirmed email that is associated with the user account.
  • In order to start the process of account verification, you will need a working and confirmed email address, that is associated with your user account and which you can write emails from.
• How do I turn on 2FA for my account? I don't see the option.
  • Right now, 2FA is generally only available for users with privileged access of some kind. We are investigating what would be required for us to expand 2-factor authentication availability to all Wikimedia user accounts.

• Help:Two-factor authentication