Extension:OATHAuth

MediaWiki extensions manual

OATHAuth Release status: stable
Implementation	User rights , Special page , Page action
Description	Provides two-factor authentication for logging in
Author(s)	Ryan Lane
Latest version	Continuous updates
Compatibility policy	master
MediaWiki	1.29+
Database changes	Yes
Tables	oathauth_users
License	GNU General Public License 2.0 or later
Download	Download extension Git [?]: Download Git master browse repository (GitHub) commit history code review
Parameters $wgOATHAuthWindowRadius $wgOATHAuthDatabase $wgOATHAuthSecret $wgOATHAuthAccountPrefix $wgOATHExclusiveRights
Added rights oathauth-enable oathauth-api-all oathauth-disable-for-user oathauth-view-log
Hooks used AuthChangeFormFields TwoFactorIsEnabled LoadExtensionSchemaUpdates GetPreferences getUserPermissionsErrors
Translate the OATHAuth extension if it is available at translatewiki.net
Check usage and version matrix.
Issues	Open tasks · Report a bug

The OATHAuth extension is a time-based one-time password (TOTP) implementation. It provides two-factor authentication via something you have (your phone or desktop client) and something you know (your user name/password). Client support is available for most feature phones, smartphones and desktops (see Client implementations).

Usage[edit source]

The help page on Two-factor authentication provides information for end users on how to use this extension. However the special page used will also guide users.

Installation[edit source]

• Download and place the file(s) in a directory called OATHAuth in your extensions/ folder.
• Only when installing from git run Composer to install PHP dependencies, by issuing composer install --no-dev in the extension directory. (See T173141 for potential complications.)
• Add the following code at the bottom of your LocalSettings.php:

  wfLoadExtension( 'OATHAuth' );
  

• Run the update script which will automatically create the necessary database tables that this extension needs.
• Configure as required.
•  Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Configuration[edit source]

Parameters[edit source]

User permission[edit source]

Granting access to enable OATHAuth

Users should be given access to the oathauth-enable user right so that they can enable it at Special:OATHAuth (a link to which appears at Special:Preferences).

$wgGroupPermissions['user']['oathauth-enable'] = true;

The above will grant all registered users access to enable OATHAuth.

Administration[edit source]

Resetting a user token

In the event that a user both loses their token generator AND the recovery tokens; two-factor authentication may be removed from the user by deleting their row from the oathauth_users database table. A sysadmin with shell access may type on a command line cd /path/to/mediawiki/extensions/OATHAuth/maintenance/ and then execute php disableOATHAuthForUser.php "username" where "username" is the user to have 2FA disabled to have it disabled.

See also[edit source]

• Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis
• Two-factor authentication (TFA)
• Extension:WebAuthn

This extension is being used on one or more Wikimedia projects. This probably means that the extension is stable and works well enough to be used by such high-traffic websites. Look for this extension's name in Wikimedia's CommonSettings.php and InitialiseSettings.php configuration files to see where it's installed. A full list of the extensions installed on a particular wiki can be seen on the wiki's Special:Version page.