Help:Two-factor authentication: Difference between revisions

Content deleted Content added
API access: broader
Replace "scratch code" -> "recovery code" per phab:T354031
Line 2:
{{Infopage|H:2FA|WP:2FA}}
{{nutshell|Administrators and editors with advanced permissions should ideally enable two-factor authentication for account security, and can do so by following this guide.}}
{{warning|'''Particular attention''' should be paid to the section of this guide on [[H:SCRATCH#Recovery codes|scratchrecovery codes]] — if you don't keep these codes and encounter a problem with your 2FA device, you will be locked out of your account.}}
[[File:Différents modèles de lecteurs de cartes bancaires.jpg|thumb|240px|2FA is like a software version of the [[security token]] devices used for online banking in some countries.]]
'''[[Multi-factor authentication|Two-factor authentication]]''' ('''2FA''') is a method of adding additional security to your account. The first "factor" is your usual password that is standard for any account. The second "factor" is a verification code retrieved from an app on a mobile device or computer. 2FA is conceptually similar to a [[security token]] device that banks in some countries require for [[online banking]]. Other names for 2FA systems include ''OTP'' (''[[one-time password]]'') and ''TOTP'' (''[[Time-based One-time Password algorithm]]'').
Line 69:
# The recommended authentication method is to scan a [[QR code]] in the app. In "Step 2" of the setup page, there is a box with a pattern which you have to point your device's camera toward. (Your device might ask you for permission to use the camera first.)
#* If you can't scan the QR code, you can enter the "Two-factor authentication secret key" from "Step 2" of the setup page into the app, which gives you the same result.
# Go back to the 2FA enrollment page. '''Write down the [[#Scratchrecovery codes|scratchrecovery codes]] from "Step 3" and keep them in a secure ___location.'''
# Type the 6-digit verification code from your app into the 2FA enrollment page under "Step 4".
 
That's it, you're all set up. '''Now, read "{{pslink|ScratchRecovery codes}}".'''
 
== Enabling 2FA on desktop and laptop computers ==
Line 93:
# Click "Verify authenticator" and then click "OK".
# Optionally set a password for WinAuth. Click "OK".
# Go back to the 2FA enrollment page. '''Write down the [[#ScratchRecovery codes|scratchrecovery codes]] from "Step 3" and keep them in a secure ___location.'''
# Type the 6-digit verification code from WinAuth into the 2FA enrollment page under "Step 4". (Click the refresh button in WinAuth to generate another code.)
 
That's it, you're all set up. '''Now, read "{{pslink|ScratchRecovery codes}}".'''
 
=== Authenticator (Linux) ===
Line 113:
#*# Copy the "Two-factor authentication secret key" from "Step 2" of the setup page and paste it into the "2FA Token" field.
# Click "Add" at the top-right of Authenticator.
# Go back to the 2FA enrollment page. '''Write down the [[#ScratchRecovery codes|scratchrecovery codes]] from "Step 3" and keep them in a secure ___location.'''
# Type the 6-digit verification code from Authenticator into the 2FA enrollment page under "Step 4".
# Click "Submit".
 
That's it, you're all set up. '''Now, read "{{pslink|ScratchRecovery codes}}".'''
 
=== KeeWeb (Windows, macOS, Linux, online) ===
Line 130:
# In the right-side pane, click "more...". Then, click "One-time passwords" and click "Enter code manually".
# Copy the "Two-factor authentication secret key" from "Step 2" of the setup page and paste it into the "otp" field in KeeWeb. Press {{keypress|Enter}} on your keyboard.
# Go back to the 2FA enrollment page. '''Write down the [[#ScratchRecovery codes|scratchrecovery codes]] from "Step 3" and keep them in a secure ___location.'''
# In KeeWeb, click on "otp" to copy the 6-digit verification code. Paste the code into the 2FA enrollment page under "Step 4".
# Back up your 2FA settings:
Line 137:
#* Click "File" to save your 2FA settings onto your computer, or choose one of the other options to sync with [[Dropbox (service)|Dropbox]], [[Google Drive]], [[OneDrive]], or [[WebDAV]].
 
That's it, you're all set up. '''Now, read "{{pslink|ScratchRecovery codes}}".'''
 
== Changing your authentication device ==
For any reason you may want to change your authentication device. This could be to move your authentications to a replacement computer or mobile device (for example if you buy a new smartphone). There is not currently a ''transfer'' function,<ref>[[phab:T172079]] is open to request a transfer function</ref> however you may accomplish this by [[#Disabling_2FA|turning off 2FA]], and then re-enrolling with your new device.
 
== ScratchRecovery codes ==
{{shortcut|H:SCRATCH}}
{{ombox
| type = content
| text = '''Important:''' Store your scratchrecovery codes offline in a safe place to ensure that you won't get locked out of your account if your 2FA device fails.
}}
 
[[File:Scratch codes in Wikipedia 2FA enrollment.png|thumb|Example of scratchrecovery codes|right]]
When you set up 2FA, you'll be given a number of 16-character scratchrecovery codes, each consisting of four alphanumeric blocks. You can [[#Logging in with 2FA|use one of the scratchrecovery codes]] if you lose access to your 2FA app (e.g. if your phone or computer gets broken or stolen). ''You only see these codes while setting up 2FA (and never again)'', so copy them from your browser and save them offline in a safe place (e.g. on a [[USB flash drive|memory stick]] or paper printout). '''If you don't keep these codes and encounter a problem with your 2FA device, you will be locked out of your account.'''
* Each scratchrecovery code can only be used one time, and it takes two of them to turn off 2FA (the first to log in without 2FA, and the second to shut off 2FA after logging in).
* Don't store these only on your smartphone. If it gets lost you'll lose the codes!
* You still need to follow [[Wikipedia:SECURITY|good security practices]]. Don't use your name, date of birth, or anything that can be guessed in a [[dictionary attack]] as a password. Don't write your password down in a place anyone else can see it, and consider whether or not it's a good idea to log in to your Wikipedia account on public terminals at schools, libraries, and airports.
 
If for some reason you need to use one or more scratchrecovery codes or feel that they have been compromised, you should generate a new set at your earliest convenience (especially if you are down to three or fewer remaining).
 
If you are totally locked out, regaining access to your account will be very difficult and usually involve proving your identity beyond the shadow of a doubt to [[:meta:Trust and Safety|Wikimedia Trust and Safety]] via {{email|ca|wikimedia.org}}. If {{abbr|T&S|Trust and Safety}} deny your request, it is ''impossible'' to turn 2FA off and you'll have to create a new account.
{{clear}}
 
=== Generating new scratchrecovery codes ===
{{shortcut|H:REGENSCRATCH}}
 
To generate a new batch of scratchrecovery codes, simply [[H:DISABLE2FA|disable]] and then [[H:ENABLE2FA|re-enable]] two-factor authentication. This will void all of your old scratchrecovery codes and create a new batch. Doing this will also void any devices you currently have configured, requiring you to set up the device again, or use a new device.
 
== Logging in with 2FA ==
Line 174:
#: Because the verification code is time-based, it may change while you're doing this, in which case you'll have to add the latest code instead. The application will normally indicate when a code is about to expire (e.g. in Google Authenticator, the code's colour changes from blue to red).
 
If you need to use a [[#ScratchRecovery codes|scratchrecovery code]], enter it in place of the verification code. ScratchRecovery codes are [[case-sensitive]] and need to be entered in [[all caps]]. A scratchrecovery code will work either with or without the spaces between the clusters of characters.
 
===Mobile app===
Line 180:
For the iOS and Android versions of the [[H:MOBILEAPP|mobile app]], when prompted for the verification code, you'll need to follow a similar process to the web interface.
 
If you need to use a scratchrecovery code, first choose to use a backup code, and then enter the scratchrecovery code. ScratchRecovery codes are case-sensitive and must be entered in all caps. The spaces separating the clusters of characters in the scratchrecovery code are optional.
 
=== API access ===
Line 189:
{{shortcut|H:DISABLE2FA}}
[[File:Disabling 2FA on Wikipedia.webm|thumb|left|Disabling 2FA]]
If you no longer want to use 2FA, go to [[Special:Manage Two-factor authentication]] and you'll be given the option to disable it. You'll need to enter a 6-digit verification code, just as you would when logging in. Alternatively enter one of your 16-character scratchrecovery codes. After this, 2FA will be turned off on your account.
 
To change your 2FA app or device, just disable 2FA and then follow the instructions at "{{pslink|Enabling 2FA on smartphones and tablet computers}}" or "{{pslink|Enabling 2FA on desktop and laptop computers}}" to enable it again.