Wikimedia Meta-Wiki

Help:Two-factor authentication/gl: Difference between revisions

Browse history interactively
← Older edit
Content deleted Content added
VisualWikitext
FuzzyBot (talk | contribs)
Bots
2,029,885 edits
Updating to match new version of source page
FuzzyBot (talk | contribs)
Bots
2,029,885 edits
Updating to match new version of source page
 
(44 intermediate revisions by the same user not shown)
Line 1:
<languages/>
{{process header
| title = <divspan lang="en" dir="ltr" class="mw-content-ltr">Two-factor authentication help</span>
Two-factor authentication help
</div>
| section =
| previous = &larr;[[Special:MyLanguage/Help:Contents|<divspan lang="en" dir="ltr" class="mw-content-ltr">Help pages</span>]]
Help pages
</div>]]
| next =
| shortcut = [[m:H:2FA|H:2FA]]
| notes = <divspan lang="en" dir="ltr" class="mw-content-ltr">This page explains two-factor authentication on Wikimedia Foundation wikis. You may also read [[mw:Special:MyLanguage/Extension:OATHAuth|documentation of the extension]] that adds this functionality.</span>
This page explains two-factor authentication on Wikimedia Foundation wikis. For documentation of the extension that adds this functionality, see [[mw:Extension:OATHAuth]].
</div>
}}
 
<div lang="en" dir="ltr" class="mw-content-ltr">
Wikimedia's implementation of '''two-factor authentication''' ('''2FA''') is a way to strengthen the security of your account. If you enable [[:en:{{lwp|Two-factor authentication}}|two-factor authentication]], you will be asked for a one-time six-digit authentication code every time in addition to your password. This code is provided by an app on your [[:en:{{lwp|smartphone}}|smartphone]] or other authentication device. In order to log in, you must know your password and have your authentication device available to generate the code.
</div>
 
Line 25 ⟶ 19:
<div lang="en" dir="ltr" class="mw-content-ltr">
Two-factor authentication on Wikimedia is currently experimental and optional (with some exceptions). Enrollment requires <code>(oathauth-enable)</code> access, currently in production testing with [[Special:MyLanguage/Administrators|administrators]] (and users with admin-like permissions like [[Special:MyLanguage/interface editors|interface editors]]), [[Special:MyLanguage/bureaucrats|bureaucrats]], [[Special:MyLanguage/Checkuser policy|checkusers]], [[Special:MyLanguage/Oversight policy|oversighters]], [[Special:MyLanguage/Stewards|stewards]], [[Special:MyLanguage/Global_permissions#Abuse_filter|edit filter managers]] and the [[Special:GlobalUsers/oathauth-tester|OATH-testers global group]].
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
[[Wikitech:|Wikitech]] LDAP accounts are also eligible.
</div>
 
Line 34 ⟶ 24:
=== Mandatory use user groups ===
</div>
* <span lang="en" dir="ltr" class="mw-content-ltr">[[:Category:Global userUser groups that require two-factor authentication|Groups requiring two-factor authentication]]</span>
 
* <span lang="en" dir="ltr" class="mw-content-ltr">May 2025 announcement: [[Special:MyLanguage/Mandatory two-factor authentication for users with some extended rights|Mandatory two-factor authentication for users with some extended rights]]</span>
<div lang="en" dir="ltr" class="mw-content-ltr">
* [[:Category:Global user groups that require two-factor authentication|Groups requiring two-factor authentication]]
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
Line 43 ⟶ 31:
</div>
 
* <divspan lang="en" dir="ltr" class="mw-content-ltr">Have <code>(oathauth-enable)</code> access (by default, available to administrators, bureaucrats, suppressors, check users and other privileged user groups)</span>
* <span lang="en" dir="ltr" class="mw-content-ltr">Have or install a [[:w:en:Time-based One-time Password Algorithm|Time-based One-time Password Algorithm]] (TOTP) client. For most users, this will be a phone or tablet application. CommonlyAny compliant application may be used, some recommendedpopular appsones include:</span>
* Have <code>(oathauth-enable)</code> access
** <span lang="en" dir="ltr" class="mw-content-ltr">Open-source: [https://github.com/beemdevelopment/Aegis Aegis] (Android, F-Droid), [https://freeotp.github.io/ FreeOTP] (Android, F-Droid, iOS), [https://github.com/twofas 2FAS] ([https://github.com/twofas/2fas-android Android], [https://github.com/twofas/2fas-ios iOS]), [https://bitwarden.com/products/authenticator/ Bitwarden Authenticator] ([https://github.com/bitwarden/authenticator-android Android], [https://github.com/bitwarden/authenticator-ios iOS]), [https://mattrubin.me/authenticator/ Authenticator] (iOS), [https://authenticator.cc/ Authenticator.cc] (Chrome, Firefox & Edge), [https://passman.cc/ Passman] (NextCloud), [https://keepassxc.org/ KeePassXC] (Linux, macOS, Windows)</span>
</div>
** <span lang="en" dir="ltr" class="mw-content-ltr">Closed-source: [https://authy.com/download/ Authy] (Android, iOS, macOS, Windows), [[:w:en:Google Authenticator|Google Authenticator]] ([https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_GB Android] [https://itunes.apple.com/gb/app/google-authenticator/id388497605?mt=8 iOS]) and authenticator apps from most other large tech firms</span>
<div lang="en" dir="ltr" class="mw-content-ltr">
** <span lang="en" dir="ltr" class="mw-content-ltr">[[:w:en:Comparison of OTP applications|General comparison of many common OTP applications]] which could be used as TOTP client for 2FA (English Wikipedia)</span>
* Have or install a [[:w:en:Time-based One-time Password Algorithm|Time-based One-time Password Algorithm]] (TOTP) client. For most users, this will be a phone or tablet application. Commonly recommended apps include:
** <span lang="en" dir="ltr" class="mw-content-ltr">You can also use a desktop client such as the [https://www.nongnu.org/oath-toolkit/ OATH Toolkit] (Linux, macOS via Homebrew), or [https://github.com/winauth/winauth WinAuth] (Windows). Keep in mind that if you log in from the computer used to generate TOTP codes, this approach does not protect your account if an attacker gains access to your computer.</span>
</div>
** <span lang="en" dir="ltr" class="mw-content-ltr">Password managers such as [https://bitwarden.com/ Bitwarden], [https://keepass.info/ KeePass] and [https://proton.me/pass Proton Pass] also tend to support/have plugins to support TOTP. This bears the same limitations as the above, but may be worth looking into if you already use one for other things.</span> [[{{lm|OATHAuth enable link|png}}|thumb|<span lang="en" dir="ltr" class="mw-content-ltr">Overview of preferences section to enable two-factor authentication</span>]]
<div lang="en" dir="ltr" class="mw-content-ltr">
* <span lang="en" dir="ltr" class="mw-content-ltr">Go to [[Special:OATH]] '''on the project you hold one of the above rights on''' (this link is also available from your [[Special:Preferences#mw-prefsection-personal|preferences]]). ''(For most users, this will not be here on the meta-wiki.)''</span>
** Open-source: [https://freeotp.github.io/ FreeOTP] (Android, iOS), [https://github.com/andOTP/andOTP#andotp----android-otp-authenticator andOTP] (Android), [https://mattrubin.me/authenticator/ Authenticator] (iOS), [https://authenticator.cc/ Authenticator.cc](Chrome,Firefox & Edge), [https://passman.cc/ Passman] (NextCloud)
* <span lang="en" dir="ltr" class="mw-content-ltr">[[Special:OATH]] presents you with a [[:w:en:{{lwp|QR code}}|QR code]] containing the '''Two-factor account name''' and '''Two-factor secret key.''' This is needed to pair your client with the server.</span>
</div>
* <divspan lang="en" dir="ltr" class="mw-content-ltr">Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.</span>
* <span lang="en" dir="ltr" class="mw-content-ltr">Enter the authentication code from your TOTP client into the OATH screen to complete the enrollment.</span>
** Closed-source: [https://authy.com/download/ Authy] (Android, iOS, macOS, Windows), [[:w:en:Google Authenticator|Google Authenticator]] ([https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_GB Android] [https://itunes.apple.com/gb/app/google-authenticator/id388497605?mt=8 iOS])
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
** [[:w:en:Special:PermaLink/884895095#Authenticated_implementations|other clients compared at English Wikipedia]]
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
** You can also use a desktop client such as the [https://www.nongnu.org/oath-toolkit/ OATH Toolkit] (Linux, macOS via Homebrew), or [https://github.com/winauth/winauth WinAuth] (Windows). Keep in mind that if you log in from the computer used to generate TOTP codes, this approach does not protect your account if an attacker gains access to your computer.
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
** Password managers such as 1Password, LastPass, and KeePass also tend to support/have plugins to support TOTP. This bears the same limitations as the above, but may be worth looking into if you already use one for other things.
</div>
[[{{lm|OATHAuth enable link|png}}|thumb|<span lang="en" dir="ltr" class="mw-content-ltr">Overview of preferences section to enable two-factor authentication.</span>]]
<div lang="en" dir="ltr" class="mw-content-ltr">
* Go to [[Special:OATH]] '''on the project you hold one of the above rights on''' (this link is also available from your [[Special:Preferences#mw-prefsection-personal|preferences]]). ''(For most users, this will not be here on the meta-wiki.)''
</div>
 
{{Caution|1=<span lang="en" dir="ltr" class="mw-content-ltr">WARNING: You will also be presented with a series of 10 one-time scratch[[#Recovery codes|recovery and a QR code to scan only one timecodes]]. '''You should print and safely store a copy of this page'''. If you lose or have a problem with your TOTP client, you will be locked out of your account unless you have access to these codes or the QR code to set up a different device.</span>}}
<div lang="en" dir="ltr" class="mw-content-ltr">
* [[Special:OATH]] presents you with a [[:w:en:QR code|QR code]] containing the '''Two-factor account name''' and '''Two-factor secret key.''' This is needed to pair your client with the server.
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
* Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
* Enter the authentication code from your TOTP client into the OATH screen to complete the enrollment.
</div>
{{Caution|<div lang="en" dir="ltr" class="mw-content-ltr">
WARNING: You will also be presented with a series of 10 one-time scratch codes and a QR code to scan only one time. '''You should print and safely store a copy of this page'''. If you lose or have a problem with your TOTP client, you will be locked out of your account unless you have access to these codes or the QR code to set up a different device.
</div>}}
{{clear}}
 
<div lang="en" dir="ltr" class="mw-content-ltr">
== Logging in ==
</div>
[[{{lm|TOTP login|png}}|thumb|right|<span lang="en" dir="ltr" class="mw-content-ltr">Login screen</span>]]
<div lang="en" dir="ltr" class="mw-content-ltr">
* Provide your username and password, and submit as before.
* Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds. If your code keeps getting rejected, check that the time on your device where your auth app is installed is correct.
</div>
 
Line 99 ⟶ 59:
 
<div lang="en" dir="ltr" class="mw-content-ltr">
If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing the browser cachecookies will require a code on your next login.
</div>
 
Line 119 ⟶ 79:
 
<div lang="en" dir="ltr" class="mw-content-ltr">
For example, tools like [[w:en:{{lwp|Wikipedia:AutoWikiBrowser}}|AutoWikiBrowser]] (AWB) do not yet support two-factor authentication, but can use bot passwords. ForYou furthermay information on how to configure this seefind [[w:{{lwp|Wikipedia:Using AWB with 2FA}}|Wikipedia:Usingfurther AWBinformation withon 2FA]]<!--how notto translatingconfigure link as English language page -->this]].
</div>
{{clear}}
 
<div lang="en" dir="ltr" class="mw-content-ltr">
== Disabling two-factor authentication ==
Line 128 ⟶ 87:
[[{{lm|LostOATH-2|png}}|thumb|<span lang="en" dir="ltr" class="mw-content-ltr">Unenrolling</span>]]
 
{{Caution|1=<span lang="en" dir="ltr" class="mw-content-ltr">If you already have 2FA enabled, removing the permission that allows you to enroll in 2FA '''WILL NOT''' disable 2FA. You need to follow the process below to disable it.</span>}}
{{Caution|
<span lang="en" dir="ltr" class="mw-content-ltr">If you already have 2FA enabled, removing the permission that allows you to enroll 2FA '''WILL NOT''' disable 2FA. You need to follow the process below to disable it.</span>}}
<div lang="en" dir="ltr" class="mw-content-ltr">
* Go to [[Special:OATH]] or [[Special:Preferences#mw-prefsection-personal|preferences]]. If you are no longer in groups that are permitted to enroll, you can still disable via [[Special:OATH]].
</div>
 
* <span lang="en" dir="ltr" class="mw-content-ltr">Go to [[Special:OATH]] or [[Special:Preferences#mw-prefsection-personal|preferences]]. If you are no longer in groups that are permitted to enroll, you can still disable via [[Special:OATH]].</span>
<div lang="en" dir="ltr" class="mw-content-ltr">
* <span lang="en" dir="ltr" class="mw-content-ltr">On the <u>disable two-factor authentication</u> page, use your authentication device to generate a code to complete the process.</span>
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
== ScratchRecovery codes ==
</div>
[[{{lm|Enroll-Step3|png}}|thumb|<span lang="en" dir="ltr" class="mw-content-ltr">OATH example scratchrecovery codes</span>]]
<div class="mw-translate-fuzzy">
Cando matricules en dobre factor de autentificación, terás unha lista con cinco esfoladuras de códigos temporais. '''Fai o favor de imprimir esos códigos e gardalos en lugar seguro, cando no caso os necesites usar perdes o acceso ao dispositivo 2FA'''. Ven sendo importante anotar cada un deses códigos coma '''uso único'''; pode que nunca sexa utilizado e expire. Despois de usalo, tachalo cun boli ou outra marca como código expirado. Xera un novo xogo de códigos, necesitarás desactivar e rehabilitar dobre factor de autentificación.
Line 151 ⟶ 105:
 
<div lang="en" dir="ltr" class="mw-content-ltr">
This may require '''two''' scratchrecovery codes: one to log in, and another to disable. Should you ever need to use any of your scratchrecovery codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.
</div>
 
Line 163 ⟶ 117:
 
<div lang="en" dir="ltr" class="mw-content-ltr">
You will need access to the scratchrecovery codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to '''two''' scratchrecovery codes to accomplish this:
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
* You need to be logged in. If you are not already logged in, this will require use of a scratchrecovery code.
* Visit [[Special:OATH]] and use a different scratchrecovery code to disable two-factor authentication.
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
If you don't have enough scratchrecovery codes, you may contact [[Special:MyLanguage/Trust and Safety|Trust and Safety]] at ca{{@}}wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on [[phab:|Phabricator]] if you still have access to it. Please note, 2FA removal by staff is not always granted.
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
See [[wikitech:Password and 2FA reset#For users]] for instructions on requesting 2FA removal for your [[mw:Special:MyLanguage/Developer account|Developer account]].
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
== Web Authentication Method ==
</div>
Please note, most of the directions on this page are specific to the TOTP method. The WebAuthn method is more experimental and currently has no recovery options (c.f. [[phab:T244348]]).
 
</div>
<div lang="en" dir="ltr" class="mw-content-ltr">
Please note, most of the directions on this page are specific to the TOTP method. The [[{{lwp|WebAuthn}}|WebAuthn]] method is more experimental and currently has no recovery options (cf. [[phab:T244348|related developer task]]). WebAuthn has a known issue that you must make future logons on the same project that you initiate it from ([[phab:T244088|tracking task]]). WebAuthn is not currently available for use via mobile apps ([[phab:T230043|T230043]]).
</div>]]
 
<div lang="en" dir="ltr" class="mw-content-ltr">
Line 189 ⟶ 146:
 
<div lang="en" dir="ltr" class="mw-content-ltr">
* The [[:w:en:Multi-factor authentication|Englishconcept Wikipediaof articlemulti-factor authentication]] in the English Wikipedia and a [[d:Q7878662|Wikidata item]] about the concept of multi-factor authenticationit
* [https://phabricator.wikimedia.org/tag/mediawiki-extensions-oathauth Known bugs and requested improvements] of Wikimedia's two-factor authentication are collaborated on and tracked in Phabricator.
* [[mw:Special:MyLanguage/Extension:OATHAuth|OATHAuth]] is the MediaWiki extension used for this functionality
* [[mw:Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis|Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis]]
* [[mw:Special:MyLanguage/Help:Two-factor authentication|Help:Two-factor authentication]] in the MediaWiki.org
</div>
 
{{user groups}}
[[Category:MediaWiki extensions{{#translation:}}|Email confirmation]]
 
[[Category:Security]]
[[Category:MediaWiki extensionsSecurity{{#translation:}}|Email confirmation]]
[[Category:Handbook Wikimedia-specific]]
Retrieved from "https://meta.wikimedia.org/wiki/Help:Two-factor_authentication/gl"