Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis

From MediaWiki.org
Jump to navigation Jump to search

In the age of massive data breaches, successful phishing campaigns and more passwords than you can remember, two-factor authentication allows you to authenticate yourself to a wiki both with a password you know, and by proving that you have access to a long, random secret typically stored on a device in your possession.

Enable two-factor authentication[edit]

To register for two-factor authentication, go to your Preferences after logging into any CentralAuth wiki, and click “Enable two-factor authentication” (or visit Special:OATH directly), and follow the instructions to enable two-factor authentication for your account. You can either scan the QR code, or manually enter the shared secret into your second-factor device. You can use FreeOTP (Android/iOS), Google Authenticator (Android/iOS), GAuth Authenticator (Chrome plugin), GAuth (Firefox extension), or the OATH Toolkit commandline utility for debian, opensuse and other platforms.

Disable two-factor authentication[edit]

If you need to disable two-factor authentication (and are still in possesion of your second-factor device), you can visit Special:OATH at any time, enter the current code, and two-factor will be removed from your account.

Scratch codes[edit]

FAQ[edit]

Will this be mandatory?
It's possible that we will require two-factor authentication for accounts with access to sensitive information in the future, but we do not have concrete plans to do so at this time.
What do I do if I lose my phone/token/secret?
A user with shell access can remove your account from the two-factor configuration, which will allow you to login and re-enable two-factor authentication with a new device. The person doing this work will need to verify your identity, preferably by signing your request with a PGP signature that the user can verify, revealing a committed identity, or verifying the request through another non-email source (most users can reset their wiki password via email, so we want to ensure a malicious person with access to your email account cannot get your second authentication factor reset also).
What protocol is used for this two-factor authentication?
We implement the OATH protocol, a specific form of Time-based One-time Password (TOTP).

See also[edit]