Extension:OATHAuth

The OATHAuth extension is a time-based one-time password (TOTP) implementation. It provides two-factor authentication via something you have (your phone or desktop client) and something you know (your user name/password). Client support is available for most feature phones, smartphones and desktops (see Client implementations).

Usage
The help page on Two-factor authentication provides information for end users on how to use this extension. Howerver the special page used will also guide users.

User permission
Users should be given access to the  user right so that they can enable it at Special:OATHAuth (a link to which appears at Special:Preferences).
 * Granting access to enable OATHAuth

The above will grant all registered users access to enable OATHAuth.

Administration
In the event that a user both loses their token generator AND the recovery tokens; two-factor authentication may be removed from the user by deleting their row from the  database table. A sysadmin with shell access may type on a command line  and then execute   where is the user to have 2FA disabled to have it disabled.
 * Resetting a user token