Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis

In the age of massive data breaches, successful phishing campaigns and more passwords than you can remember, two-factor authentication allows you to authenticate yourself to a wiki both with a password you know, and by proving that you have access to a long, random secret typically stored on a device in your possession.

Enable two-factor authentication
To register for two-factor authentication, go to your Preferences after logging into any CentralAuth wiki, and click “Enable two-factor authentication” (or visit Special:OATH directly), and follow the instructions to enable two-factor authentication for your account. You can either scan the QR code, or manually enter the shared secret into your second-factor device. You can use FreeOTP ([ https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp Android]/[ https://itunes.apple.com/us/app/freeotp-authenticator/id872559395 iOS]), Google Authenticator ([ https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en Android]/[ https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8 iOS]), andOTP ([ https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp Android]), [ https://chrome.google.com/webstore/detail/bhghoamapcdpbohphigoooaddinpkbai?hl=en Authenticator] (Chrome extension), [ https://addons.mozilla.org/en-US/firefox/addon/auth-helper/ Authenticator] (Firefox extension), [ https://microsoftedge.microsoft.com/addons/detail/ocglkepbibnalbgmbachknglpdipeoio Authenticator] (Edge extension), or the OATH Toolkit command line utility for [ https://packages.debian.org/search?keywords=oathtool Debian], [ http://software.opensuse.org/package/oath-toolkit openSUSE] and other platforms.

Disable two-factor authentication
If you need to disable two-factor authentication (and are still in possession of your second-factor device), you can visit Special:OATH at any time, enter the current code, and two-factor will be removed from your account.

FAQ

 * Will this be mandatory?
 * Two-factor authentication is required for interface administrators, stewards, and a few similarly privileged roles. It's possible that we will require two-factor authentication for other accounts with access to sensitive information in the future, but we do not have concrete plans to do so at this time.


 * What do I do if I lose my phone/token/secret?
 * A user with shell access can remove your account from the two-factor configuration, which will allow you to log in and re-enable two-factor authentication with a new device. The person doing this work will need to verify your identity, preferably by signing your request with a PGP signature that the user can verify, revealing a committed identity, or verifying the request through another non-email source (most users can reset their wiki password via email, so we want to ensure a malicious person with access to your email account cannot get your second authentication factor reset also).


 * What protocol is used for this two-factor authentication?
 * We implement the OATH protocol, a specific form of Time-based One-time Password (TOTP).