Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis

From mediawiki.org

In the age of massive data breaches, successful phishing campaigns and more passwords than you can remember, two-factor authentication allows you to authenticate yourself to a wiki both with a password you know, and by proving that you have access to a long, random secret typically stored on a device in your possession.

Enable two-factor authentication[edit]

To register for two-factor authentication, go to your Preferences after logging into any CentralAuth wiki, and click “Enable two-factor authentication” (or visit Special:OATH directly), and follow the instructions to enable two-factor authentication for your account. You can either scan the QR code, or manually enter the shared secret into your second-factor device. You can use FreeOTP (Android/iOS), Google Authenticator (Android/iOS), andOTP (Android), Authenticator (Chrome extension), Authenticator (Firefox extension), Authenticator (Edge extension), or the OATH Toolkit command line utility for Debian, openSUSE and other platforms.

Disable two-factor authentication[edit]

If you need to disable two-factor authentication (and are still in possession of your second-factor device), you can visit Special:OATH at any time, enter the current code, and two-factor will be removed from your account.

Scratch codes[edit]

FAQ[edit]

Will this be mandatory?
Two-factor authentication is required for interface administrators, stewards, and a few similarly privileged roles. It's possible that we will require two-factor authentication for other accounts with access to sensitive information in the future, but we do not have concrete plans to do so at this time.
What do I do if I lose my phone/token/secret?
A user with shell access can remove your account from the two-factor configuration, which will allow you to log in and re-enable two-factor authentication with a new device. The person doing this work will need to verify your identity, preferably by signing your request with a PGP signature that the user can verify, revealing a committed identity, or verifying the request through another non-email source (most users can reset their wiki password via email, so we want to ensure a malicious person with access to your email account cannot get your second authentication factor reset also).
What protocol is used for this two-factor authentication?
We implement the OATH protocol, a specific form of Time-based One-time Password (TOTP).

See also[edit]