Help:Two-factor authentication/sd: Difference between revisions

* <span lang="en" dir="ltr" class="mw-content-ltr">Have <code>(oathauth-enable)</code> access (by default, available to administrators, bureaucrats, suppressors, check users and other privileged user groups)</span>

* <span lang="en" dir="ltr" class="mw-content-ltr">Have or install a [[:w:en:Time-based One-time Password Algorithm|Time-based One-time Password Algorithm]] (TOTP) client. For most users, this will be a phone or tablet application. CommonlyAny recommendedcompliant appsapplication may be used, some popular ones include:</span>

** <span lang="en" dir="ltr" class="mw-content-ltr">Open-source: [https://github.com/beemdevelopment/Aegis Aegis] (Android, F-Droid), [https://freeotp.github.io/ FreeOTP] (Android, F-Droid, iOS), [https://github.com/andOTPtwofas 2FAS] ([https://github.com/twofas/andOTP#andotp---2fas-android Android], [https://github.com/twofas/2fas-otp-ios iOS]), [https://bitwarden.com/products/authenticator/ andOTPBitwarden Authenticator] ([https://github.com/bitwarden/authenticator-android Android], [https://github.com/bitwarden/authenticator-ios iOS]), [https://mattrubin.me/authenticator/ Authenticator] (iOS), [https://authenticator.cc/ Authenticator.cc] (Chrome, Firefox & Edge), [https://passman.cc/ Passman] (NextCloud), [https://keepassxc.org/ KeePassXC] (Linux, macOS, Windows)</span>

** <span lang="en" dir="ltr" class="mw-content-ltr">Closed-source: [https://authy.com/download/ Authy] (Android, iOS, macOS, Windows), [[:w:en:Google Authenticator|Google Authenticator]] ([https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_GB Android] [https://itunes.apple.com/gb/app/google-authenticator/id388497605?mt=8 iOS]) and authenticator apps from most other large tech firms</span>

** <span lang="en" dir="ltr" class="mw-content-ltr">[[:w:en:Special:PermaLink/884895095#Authenticated_implementationsComparison of OTP applications|otherGeneral clientscomparison comparedof atmany Englishcommon WikipediaOTP applications]] which could be used as TOTP client for 2FA (English Wikipedia)</span>

** <span lang="en" dir="ltr" class="mw-content-ltr">Password managers such as 1Password,[https://bitwarden.com/ LastPassBitwarden], and[https://keepass.info/ KeePass] and [https://proton.me/pass Proton Pass] also tend to support/have plugins to support TOTP. This bears the same limitations as the above, but may be worth looking into if you already use one for other things.</span> [[{{lm|OATHAuth enable link|png}}|thumb|<span lang="en" dir="ltr" class="mw-content-ltr">Overview of preferences section to enable two-factor authentication.</span>]]

* <span lang="en" dir="ltr" class="mw-content-ltr">Go to [[Special:OATH]] '''on the project you hold one of the above rights on''' (this link is also available from your [[Special:Preferences#mw-prefsection-personal|preferences]]). ''(For most users, this will not be here on the meta-wiki.)''</span>

{{Caution|1=<span lang="en" dir="ltr" class="mw-content-ltr">WARNING: You will also be presented with a series of 10 one-time scratch[[#Recovery codes|recovery and a QR code to scan only one timecodes]]. '''You should print and safely store a copy of this page'''. If you lose or have a problem with your TOTP client, you will be locked out of your account unless you have access to these codes or the QR code to set up a different device.</span>}}

* Provide your username and password, and submit as before.

* Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds. If your code keeps getting rejected, check that the time on your device where your auth app is installed is correct.

If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing the browser cachecookies will require a code on your next login.

{{Caution|1=<span lang="en" dir="ltr" class="mw-content-ltr">If you already have 2FA enabled, removing the permission that allows you to enroll in 2FA '''WILL NOT''' disable 2FA. You need to follow the process below to disable it.</span>}}

[[{{lm|Enroll-Step3|png}}|thumb|<span lang="en" dir="ltr" class="mw-content-ltr">OATH example scratchrecovery codes</span>]]

When enrolling in two-factor authentication, you will be provided with a list of ten one-time scratchrecovery codes. '''Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device.''' It is important to note that each of these codes is '''single use'''; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.

This may require '''two''' scratchrecovery codes: one to log in, and another to disable. Should you ever need to use any of your scratchrecovery codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.

You will need access to the scratchrecovery codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to '''two''' scratchrecovery codes to accomplish this:

* You need to be logged in. If you are not already logged in, this will require use of a scratchrecovery code.

* Visit [[Special:OATH]] and use a different scratchrecovery code to disable two-factor authentication.

If you don't have enough scratchrecovery codes, you may contact [[Special:MyLanguage/Trust and Safety|Trust and Safety]] at ca{{@}}wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on [[phab:|Phabricator]] if you still have access to it. Please note, 2FA removal by staff is not always granted.

See [[wikitech:Password and 2FA reset#For users]] for instructions on requesting 2FA removal for your [[mw:Special:MyLanguage/Developer account|Developer account]].

Please note, most of the directions on this page are specific to the TOTP method. The [[{{lwp|WebAuthn}}|WebAuthn]] method is more experimental and currently has no recovery options (c.fcf. [[phab:T244348|related developer task]]). WebAuthn has a known issue that you must make future logons on the same project that you initiate it from ([[phab:T244088|tracking task]]). WebAuthn is not currently available for use via mobile apps ([[phab:T230043|T230043]]).

</div>

* The [[:w:en:Multi-factor authentication|Englishconcept Wikipediaof articlemulti-factor authentication]] in the English Wikipedia and a [[d:Q7878662|Wikidata item]] about the concept of multi-factor authenticationit

* [https://phabricator.wikimedia.org/tag/mediawiki-extensions-oathauth Known bugs and requested improvements] of Wikimedia's two-factor authentication are collaborated on and tracked in Phabricator.