|This page in a nutshell: Administrators should ideally have enabled two-factor authentication, and can do so by following this guide|
What is 2FA?
2FA is a little bit like using one of these. Since the Wikimedia Foundation
isn't going to mail a keycode device to all the Administrators
, we'll need to improvise a bit.
2FA, or two-factor authentication, is a way of adding additional security on your account. The first "factor" is your usual password that is standard for any account, the second is a code retrieved from an external device such as a smartphone, or a program on your computer. It is conceptually similar to a keycode device you may have to use when logging into internet banking.
The technical name for this is "Time-based One-time Password algorithm" (TOTP).
Why on earth do I need this?
It is really important for users with advanced rights to keep their account secure. In November 2016, a number of Wikipedia administrators (including the co-founder, Jimbo Wales) had their accounts compromised, which were then used to vandalise the encyclopedia. As well as causing widespread disruption, the affected administrators' accounts were locked so they couldn't do anything until it was beyond doubt they had regained control.
On the English Wikipedia, the following groups can use 2FA:
Normal users can also submit a request here to be granted access to 2FA.
You'll already know if you're in one of these groups because you'll have asked to be in the group. If you don't recognise any of these terms, you probably can't use 2FA for now. Note that users with advanced rights on other projects, including test wikis hosted by Wikimedia, can also enable 2FA from those projects.
How to enable 2FA, the simple way (smartphone)
This is what a typical QR code looks like.
To scan a QR code, put your phone next to the code as if you're going to take a picture of it.
- Download a 2FA app onto your smartphone. Some options include:
- Go to Special:Two-factor authentication and follow the instructions.
- The recommended authentication method is to scan a QR code in the app. Your browser will display a box with a pattern, which you have to point the camera in your smartphone towards, as if you're taking a picture of it. (Your phone might ask you for permission to use the camera first).
- If you can't scan the code, you can enter a secret key from the screen into the app, which gives you the same result.
- Once you're set up, your phone will give you a verification code. Enter this into the box at the bottom of the Two-factor authentication page browsed to in step 2).
- That's it, you're all set up. Now read "Emergency tokens : IMPORTANT, read this".
How to log-in following setup
When you now login, after entering your password you'll be asked for an authentication token.
- Open up the app you installed in step 1) and you should see a numeric key.
- Type the key in as is (with no spaces), and you should be logged back in
- Because the key is time-based, it may change while you're doing this, in which case you'll have to add the latest key instead. The application will normally indicate when a key is about to expire (e.g.: in Google Authenticator, the key's colour changes from blue to red).
How to enable 2FA, the simple way (desktop - Windows)
Please note: Using a Windows-based client slightly decreases the effectiveness of a two-factor system - if someone has access to your PC and your password, they will still be able to log in
- Download WinAuth ([winauth.github.io]) onto your Windows PC.
- Go to Special:Two-factor authentication and follow the instructions
- Enter the two-factor account name and key from the Two-factor authentication screen into the program. It should show you where to put it.
- Enter a verification code from winauth into the Two-factor authentication screen to complete the enrollment.
- That's it, you're all set up. Now, read "Emergency tokens : IMPORTANT, read this".
Emergency tokens : IMPORTANT, read this
Example of emergency tokens
When you set up 2FA, you'll be given a number of emergency tokens. You can use one of these if you can't use your smartphone (e.g.: if it gets broken, stolen or sold). You only get shown these tokens when you sign up and never again, so make a copy of them by selecting/pasting them from your browser and storing them offline (paper printout or memory stick) in a safe place. If you don't keep these tokens and also have a problem using your authentication device, you will be locked out of your account!
- Each token can only be used one time - ever - and it takes two of them to turn off 2FA (the first to log on without 2FA, and the second to shut off 2FA after logging in).
- Don't store these on your smartphone - if it gets lost you won't be able to use your phone, and you just lost the codes!
- You still need to follow good security practices. Don't use your name, date of birth or anything obvious as a password that can be guessed in a simple dictionary attack, don't write your password down in a place anyone else can see it, and consider whether or not it's a good idea to log into public terminals including schools, libraries and airports.
If you are totally locked out, regaining access to your account will be very difficult and usually involve proving your identity beyond the shadow of a doubt to one of the developers via the Phabricator system who may or may not decide to manually disable 2FA in the database directly. If you cannot satisfy these requirements or the developers deny your request, it is impossible to turn 2FA off and you effectively have to create a new account.
Can I disable 2FA?
If using 2FA becomes too onerous or difficult (e.g.: you aren't always near your phone or keycode application), you can browse to Special:OATH again and you'll be given the option to disable it. You'll need to enter a code, just as you would when logging in, and if this is correct, 2FA will be turned off.
Known issues/points to consider
- AWB and Huggle users will have to create a program password after enabling 2FA - please see this guide for information.
- Clock drift - if your 2FA device's clock becomes too inaccurate it will generate the wrong codes which will not successfully log you in. This has been known to happen with 2 minutes difference. Your 2FA device's clock should be kept reasonably accurate.
- ^ Looks to me to be the most reliable out there - is open sourced and has a significant userbase. Please confirm you are visiting the official site and use checksums if possible