Extension:OATHAuth

Not to be confused with Extension:OAuth

The OATHAuth extension is a time-based one-time password (TOTP) implementation. It provides two-factor authentication via something you have (your phone or desktop client) and something you know (your user name/password). Client support is available for most feature phones, smartphones and desktops (see Client implementations). This extension has nothing to do with OAuth, which is a totally different protocol.

Resetting a user token
In the event that a user both loses their token generator AND the recovery tokens; two-factor authentication may be removed from the user by deleting their row from the  database table.

0.1 - May 9, 2012

 * Initial version
 * Missing functionality to act as a standalone extension, currently reuses a hook in LdapAuthentication. Standalone support to come in next version.

0.2 - March 28, 2014

 * Added use of TwoFactorIsEnabled hook
 * Switched from using ChainAuth hook to using AbortChangePassword and AbortLogin hooks
 * Added use of $wgRedactedFunctionArguments variable

0.2.1 - May 11, 2014

 * Code-base cleanup

0.2.2 - October 11, 2016

 * Switch to using extension.json
 * Added "oathvalidate" API action
 * Added caching of OATH tokens
 * Added SQLite support
 * Removed support for pre-AuthManager MediaWiki