Content deleted Content added
m Removed redundant hyperlink |
|||
| (28 intermediate revisions by 16 users not shown) | |||
Line 2:
{{Infopage|H:2FA|WP:2FA}}
{{nutshell|Administrators and editors with advanced permissions should ideally enable two-factor authentication for account security, and can do so by following this guide.}}
{{warning|'''Particular attention''' should be paid to the section of this guide on [[
[[File:Différents modèles de lecteurs de cartes bancaires.jpg|thumb|240px|2FA is like a software version of the [[security token]] devices used for online banking in some countries.]]
'''[[Multi-factor authentication|Two-factor authentication]]''' ('''2FA''') is a method of adding additional security to your account. The first "factor" is your usual password that is standard for any account. The second "factor" is a verification code retrieved from an app on a mobile device or computer. 2FA is conceptually similar to a [[security token]] device that banks in some countries require for [[online banking]]. Other names for 2FA systems include ''OTP'' (''[[one-time password]]'') and ''TOTP'' (''[[Time-based One-time Password algorithm]]'').
Line 23:
{{shortcut|H:ACCESS2FA}}
On the English Wikipedia, the following groups automatically have access to 2FA:
* [[Wikipedia:Administrators|Administrators]]<ref>Additionally, [[Wikipedia:Bureaucrats|bureaucrats]], [[Wikipedia:CheckUser|checkusers]], [[Wikipedia:Interface administrators|interface administrators]], and [[Wikipedia:Oversight|oversighters]] have access, but these groups normally only include administrators.</ref>
* [[Wikipedia:Edit filter|Edit filter managers]]
* [[Wikipedia:
* [[Wikipedia:Template editor|Template editors]]
If you are not in one of these groups, you need to submit a request at [[:m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions]] to obtain access to 2FA (see [[m:Steward requests/Global permissions/2022-12#Requests_for_2_Factor_Auth_tester_permissions|request examples]]), explicitly mentioning that you have read [[meta:Help:Two-factor authentication|Help:Two-factor authentication on Meta]] (which is '''not''' the page you're reading now). Most users need to request access before they can use 2FA.
Line 46 ⟶ 43:
{{shortcut|H:ENABLE2FA|H:2FAPHONE|H:2FATABLET}}
[[File:Scanning QR codes on business cards.jpg|thumb|Scanning a [[QR code]] with a smartphone's camera]]
[[File:Aegis Authenticator 3.2 screenshot.png|thumb|Aegis app]]
If you have a [[smartphone]] or [[tablet computer]] with [[Android (operating system)|Android]] or [[iOS]], a mobile app is the most secure and the easiest way to use 2FA. If you don't have a mobile device or if you want to use a [[Microsoft Windows|Windows]] tablet, see "{{pslink|Enabling 2FA on desktop and laptop computers}}".
Line 51 ⟶ 49:
#* '''[https://github.com/beemdevelopment/Aegis Aegis]''' (Android): [[free and open-source]]
#** Android: Download from [https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis Google Play] or [https://f-droid.org/en/packages/com.beemdevelopment.aegis/ F-Droid]
#* '''[https://support.apple.com/en-us/guide/iphone/ipha6173c19f/ios Apple Passwords]''' (iOS)
#* '''[https://github.com/andOTP/andOTP AndOTP]''' (Android): free and open-source (development discontinued<ref>{{cite web |author=((flocke000)) |title=[Unmaintained][App][4.4+][Open source] andOTP - Open source two-factor authentication for Android |url=https://forum.xda-developers.com/t/unmaintained-app-4-4-open-source-andotp-open-source-two-factor-authentication-for-android.3636993/post-87021655 |website=forum.xda-developers.com |access-date=2022-11-09 |date=2022-06-14}}</ref>)
#** Android: Download from [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Google Play]
#* '''[https://mattrubin.me/authenticator/ Authenticator]''' (iOS): free and open-source
#** iOS: Download from the [https://apps.apple.com/us/app/authenticator/id766157276 App Store]
#*[https://ente.io/auth/ '''Ente Auth'''] (Android, iOS): free and open source. Allows viewing (but not adding) 2FA details on web/PC.
#* '''[[FreeOTP]]''' (Android, iOS): free and open-source
#** Android: Download from [https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp Google Play] or [https://f-droid.org/packages/org.fedorahosted.freeotp/index.html.en F-Droid]
Line 66:
#*'''Numberstation'''
#**True Linux on mobile (Mobian, Ubuntu Touch, and [[Mobile operating system#Fully open-source, mixed copyleft and permissive licenses| similar OSes]], but ''not'' Android): Install through your [[package manager]], either in the command terminal, or via [[AppStream]] (if you have it installed) with the button [https://linuxphoneapps.org/apps/org.postmarketos.numberstation/ here].
# Go to [[Special:Manage Two-factor authentication]]. Click "Enable" next to "TOTP (one-time token)", and log in with your username and password.
# The recommended authentication method is to scan a [[QR code]] in the app. In "Step 2" of the setup page, there is a box with a pattern which you have to point your device's camera toward. (Your device might ask you for permission to use the camera first.)
#* If you can't scan the QR code, you can enter the "Two-factor authentication secret key" from "Step 2" of the setup page into the app, which gives you the same result.
# Go back to the 2FA enrollment page. '''Write down the [[#
# Type the 6-digit verification code from your app into the 2FA enrollment page under "Step 4".
That's it, you're all set up. '''Now, read "{{pslink|
== Enabling 2FA on desktop and laptop computers ==
Line 94 ⟶ 93:
# Click "Verify authenticator" and then click "OK".
# Optionally set a password for WinAuth. Click "OK".
# Go back to the 2FA enrollment page. '''Write down the [[#
# Type the 6-digit verification code from WinAuth into the 2FA enrollment page under "Step 4". (Click the refresh button in WinAuth to generate another code.)
That's it, you're all set up. '''Now, read "{{pslink|
=== Authenticator (Linux) ===
Line 115 ⟶ 113:
#*# Copy the "Two-factor authentication secret key" from "Step 2" of the setup page and paste it into the "2FA Token" field.
# Click "Add" at the top-right of Authenticator.
# Go back to the 2FA enrollment page. '''Write down the [[#
# Type the 6-digit verification code from Authenticator into the 2FA enrollment page under "Step 4".
# Click "Submit".
That's it, you're all set up. '''Now, read "{{pslink|
=== KeeWeb (Windows, macOS, Linux, online) ===
Line 132 ⟶ 130:
# In the right-side pane, click "more...". Then, click "One-time passwords" and click "Enter code manually".
# Copy the "Two-factor authentication secret key" from "Step 2" of the setup page and paste it into the "otp" field in KeeWeb. Press {{keypress|Enter}} on your keyboard.
# Go back to the 2FA enrollment page. '''Write down the [[#
# In KeeWeb, click on "otp" to copy the 6-digit verification code. Paste the code into the 2FA enrollment page under "Step 4".
# Back up your 2FA settings:
Line 139 ⟶ 137:
#* Click "File" to save your 2FA settings onto your computer, or choose one of the other options to sync with [[Dropbox (service)|Dropbox]], [[Google Drive]], [[OneDrive]], or [[WebDAV]].
That's it, you're all set up. '''Now, read "{{pslink|
== Changing your authentication device ==
For any reason you may want to change your authentication device. This could be to move your authentications to a replacement computer or mobile device (for example if you buy a new smartphone). There is not currently a ''transfer'' function,<ref>[[phab:T172079]] is open to request a transfer function</ref>
==
{{shortcut|H:SCRATCH}}
{{ombox
| type = content
| text = '''Important:''' Store your
}}
[[File:Scratch codes in Wikipedia 2FA enrollment.png|thumb|Example of
When you set up 2FA, you'll be given a number of 16-character
* Each
* Don't store these only on your smartphone. If it gets lost you'll lose the codes!
* You still need to follow [[Wikipedia:SECURITY|good security practices]]. Don't use your name, date of birth, or anything that can be guessed in a [[dictionary attack]] as a password. Don't write your password down in a place anyone else can see it, and consider whether or not it's a good idea to log in to your Wikipedia account on public terminals at schools, libraries, and airports.
If for some reason you need to use one or more
If you are totally locked out, regaining access to your account will be very difficult and usually involve proving your identity beyond the shadow of a doubt to [[:meta:Trust and Safety|Wikimedia Trust and Safety]] via {{email|ca|wikimedia.org}}. If {{abbr|T&S|Trust and Safety}} deny your request, it is ''impossible'' to turn 2FA off and you'll have to create a new account.
{{clear}}
=== Generating new
{{shortcut|H:REGENSCRATCH}}
To generate a new batch of
== Logging in with 2FA ==
Line 180 ⟶ 174:
#: Because the verification code is time-based, it may change while you're doing this, in which case you'll have to add the latest code instead. The application will normally indicate when a code is about to expire (e.g. in Google Authenticator, the code's colour changes from blue to red).
If you need to use a [[#
===Mobile app===
Line 186 ⟶ 180:
For the iOS and Android versions of the [[H:MOBILEAPP|mobile app]], when prompted for the verification code, you'll need to follow a similar process to the web interface.
If you need to use a
=== API access ===
*Most API logon clients such as [[Wikipedia:AutoWikiBrowser|AutoWikiBrowser]] and [[Wikipedia:Huggle|Huggle]] do not support 2FA, instead users
*Special client [[mw:API:Login#Example_2:_Process_for_a_wiki_with_special_authentication_extensions|configuration]] to use the API is needed for two-factor authentication.
Line 195 ⟶ 189:
{{shortcut|H:DISABLE2FA}}
[[File:Disabling 2FA on Wikipedia.webm|thumb|left|Disabling 2FA]]
If you no longer want to use 2FA, go to [[Special:Manage Two-factor authentication]] and you'll be given the option to disable it. You'll need to enter a 6-digit verification code, just as you would when logging in. Alternatively enter one of your 16-character
To change your 2FA app or device, just disable 2FA and then follow the instructions at "{{pslink|Enabling 2FA on smartphones and tablet computers}}" or "{{pslink|Enabling 2FA on desktop and laptop computers}}" to enable it again.
Line 211 ⟶ 205:
=== Clock drift ===
If your 2FA device's [[Clock drift|clock becomes too inaccurate]], it will generate the wrong verification codes and you will not be able to log in. To prevent this, the 2FA device's clock should be kept reasonably accurate. Most smartphones and computers keep the clock in sync when they are connected to the Internet, and you will most likely not have to do anything as long as your device is online.
=== Users who are not in certain user groups ===
Currently users who are not Administrators <ref>Additionally, [[Wikipedia:Bureaucrats|bureaucrats]], [[Wikipedia:CheckUser|checkusers]], [[Wikipedia:Interface administrators|interface administrators]], and [[Wikipedia:Oversight|oversighters]] have access, but these groups normally only include administrators.</ref>
Edit filter managers, Page movers, and/or Template editors will have to submit a request at [[:m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions]] to obtain access to 2FA (see [[m:Steward requests/Global permissions/2022-12#Requests_for_2_Factor_Auth_tester_permissions|request examples]]) this means most users will have to submit a request there.
== WebAuthn ==
[[File:Two-factor authentication on Wikimedia as of 2025 with WebAuthn screenshot.webp|thumb|Configuring WebAuthn as two-factor authentication]]
[[mw:Extension:WebAuthn|WebAuthn]] is another two-factor mechanism that may be enabled; it is currently not recommended as there is [[phab:T244348|no recovery mechanism]] for lost keys and it has less support from community volunteers. If you use WebAuthn and have a technical issue, you may lose access to your account forever.
WebAuthn is not currently supported on the mobile apps (see [[phab:T230043|T230043]]).
| |||