Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis

In the age of massive data breaches, successful phishing campaigns and more passwords than you can remember, two-factor authentication allows you to authenticate yourself to a wiki both with a password you know, and by proving that you have access to a long, random secret typically stored on a device in your possession.

Enable two-factor authentication
To register for two-factor authentication, go to your Preferences after logging into any CentralAuth wiki, and click “Enable two-factor authentication” (or visit Special:OATH directly), and follow the instructions to enable two-factor authentication for your account. You can either scan the QR code, or manually enter the shared secret into your second-factor device. You can use FreeOTP (Android/iOS), Google Authenticator (Android/iOS), andOTP (Android), GAuth Authenticator (Chrome plugin), GAuth (Firefox extension), or the OATH Toolkit commandline utility for debian, opensuse and other platforms.

Disable two-factor authentication
If you need to disable two-factor authentication (and are still in possesion of your second-factor device), you can visit Special:OATH at any time, enter the current code, and two-factor will be removed from your account.

FAQ

 * Will this be mandatory?
 * Two-factor authentication is required for Interface administrators, Stewards and a small number of similarly privileged roles. It's possible that we will require two-factor authentication for other accounts with access to sensitive information in the future, but we do not have concrete plans to do so at this time.


 * What do I do if I lose my phone/token/secret?
 * A user with shell access can remove your account from the two-factor configuration, which will allow you to login and re-enable two-factor authentication with a new device. The person doing this work will need to verify your identity, preferably by signing your request with a PGP signature that the user can verify, revealing a committed identity, or verifying the request through another non-email source (most users can reset their wiki password via email, so we want to ensure a malicious person with access to your email account cannot get your second authentication factor reset also).


 * What protocol is used for this two-factor authentication?
 * We implement the OATH protocol, a specific form of Time-based One-time Password (TOTP).