Open main menu

Help:Two-factor authentication

  (Redirected from Wikipedia:Simple 2FA)
2FA is like a software version of the security token devices used for online banking in some countries.

Two-factor authentication (2FA) is a way to add additional security to your account. The first "factor" is your usual password that is standard for any account. The second "factor" is a verification code retrieved from an app on a mobile device or computer. 2FA is conceptually similar to a security token device that banks in some countries require for online banking. Other names for 2FA systems include OTP (one-time password) and TOTP (Time-based One-time Password algorithm).

This guide explains how to enable and disable 2FA on Wikipedia for your account.

Contents

Securing your accountEdit

 
Preferences with link to enable 2FA

It is extremely important for administrators and editors with advanced permissions to keep their account secure. In November 2016, a number of Wikipedia administrators (including the co-founder, Jimbo Wales) had their accounts compromised, which were then used to vandalise the encyclopedia. As well as causing widespread disruption, the affected administrators' accounts were locked until it was beyond doubt they had regained control.

Any editor can improve their account security by using 2FA. This practice is recommended for editors with advanced permissions, highly recommended for administrators, and required for interface administrators, among others.

Before enabling 2FA, please ensure that you have a strong password that is exclusively used for Wikipedia. Consider using a password manager to generate strong, unique passwords for each of your online accounts.

Accessing 2FAEdit

On the English Wikipedia, the following groups automatically have access to 2FA:

If you are not in one of these groups, you need to submit a request at m:Steward requests/Global permissions#Requests for other global permissions to obtain access to 2FA (see request examples). Most users need to request access before they can use 2FA.

Users with advanced rights on other projects, including test wikis hosted by Wikimedia, can also enable 2FA from those projects.

Checking whether 2FA is enabledEdit

To determine whether your account has 2FA enabled, go to Special:Preferences. Under "Basic information", check the entry for "Two-factor authentication", which should be between "Global account" and "Global preferences":

  • If the button says "Disable two-factor authentication", 2FA is currently enabled on your account.
  • If the button says "Enable two-factor authentication", 2FA is currently disabled on your account.
  • If there is no entry for "Two-factor authentication", your account currently doesn't have access to 2FA, and you'll need to request access at m:Steward requests/Global permissions#Requests for other global permissions before you can enable 2FA.

Enabling 2FA on smartphones and tablet computersEdit

 
Scanning a QR code with a smartphone's camera

If you have a smartphone or tablet computer with Android or iOS, a mobile app is the most secure way to use 2FA. If you don't have a smartphone or if you want to use a Windows tablet, see "Enabling 2FA on desktop and laptop computers".

  1. Download a 2FA app onto your mobile device. Recommended options include:
  2. Go to Special:Two-factor authentication and follow the instructions.
  3. The recommended authentication method is to scan a QR code in the app. Your browser will display a box with a pattern, which you have to point your device's camera toward, as if you're taking a picture of it. (Your device might ask you for permission to use the camera first.)
    If you can't scan the QR code, you can enter a secret key from the screen into the app, which gives you the same result.
  4. Once you're set up, the 2FA app will show a 6-digit verification code. Enter this into the box at the bottom of the Two-factor authentication page.
  5. That's it, you're all set up. Now, read "Scratch codes".

Enabling 2FA on desktop and laptop computersEdit

You can use apps like WinAuth and KeeWeb to handle 2FA tokens on many computers. This is the recommended way to use 2FA if you don't have a smartphone or tablet computer. Certain laptops (like Chromebooks) may need to use the "tablet" section above.

If you currently use a password manager, check whether it supports 2FA. (Your password manager may also refer to 2FA as OTP or TOTP.) Using your current password manager for 2FA is easier than setting up a new 2FA app.

Note: If you normally edit with your desktop computer, using a desktop 2FA app is slightly less secure than using a mobile 2FA app, as someone with access to both your computer and your password would still be able to log in to your account.

WinAuth (Windows)Edit

WinAuth[11] is the recommended 2FA app for Windows users. It is free and open-source.

  1. Download WinAuth[11] onto your Windows PC.
  2. Go to Special:Two-factor authentication and follow the instructions
  3. Enter the two-factor account name and key from the Two-factor authentication page into the program. WinAuth will show you where to put it.
  4. Enter the 6-digit verification code from WinAuth into the Two-factor authentication page to complete the enrollment.
  5. That's it, you're all set up. Now, read "Scratch codes".

KeeWeb (Windows, macOS, Linux, online)Edit

KeeWeb[12] is a free and open-source password manager that also handles 2FA. The app can be downloaded to your computer or used online without installation. KeeWeb refers to 2FA as one-time passwords (OTP).

  1. Download KeeWeb[12] onto your computer, or open KeeWeb's online web app.[13]
  2. Go to Special:Two-factor authentication and follow the instructions.
  3. In KeeWeb, click "New" (the plus icon).
  4. Add a new entry: Click the plus icon ("Add New") at the top. Then, click "Entry".
  5. Give the entry a title (e.g. "Wikipedia").
  6. In the right-side pane, click "more...". Then, click "One-time passwords" and click "Enter code manually".
  7. Copy and paste the key from Wikipedia's Two-factor authentication page into the "otp" field in KeeWeb. Press ↵ Enter on your keyboard.
  8. Click on "otp" to copy the 6-digit verification code. Paste the code into Wikipedia's Two-factor authentication page to complete the enrollment.
  9. Back up your 2FA settings: Click on the gear icon ("Settings") at the bottom-right of the KeeWeb window. Optionally set a password, and then click "Save to...". Click "File" to save your 2FA settings onto your computer, or choose one of the other options to sync with Dropbox, Google Drive, OneDrive, or WebDAV.
  10. That's it, you're all set up. Now, read "Scratch codes".

Scratch codesEdit

 
Example of scratch codes

When you set up 2FA, you'll be given a number of scratch codes. You can use one of these if you lose access to your 2FA app (e.g. if your phone or computer gets broken, stolen, or sold). You only see these codes while setting up 2FA (and never again), so copy them from your browser and save them offline in a safe place (e.g. on a memory stick or paper printout). If you don't keep these codes and encounter a problem with your 2FA device, you will be locked out of your account.

  • Each scratch code can only be used one time, and it takes two of them to turn off 2FA (the first to log in without 2FA, and the second to shut off 2FA after logging in).
  • Don't store these on your smartphone. If it gets lost, you won't be able to use your phone, and you'll lose the codes!
  • You still need to follow good security practices. Don't use your name, date of birth, or anything that can be guessed in a dictionary attack as a password. Don't write your password down in a place anyone else can see it, and consider whether or not it's a good idea to log in to your Wikipedia account on public terminals at schools, libraries, and airports.

If you are totally locked out, regaining access to your account will be very difficult and usually involve proving your identity beyond the shadow of a doubt to one of the developers via the Phabricator system who may or may not decide to manually disable 2FA in the database directly. If you cannot satisfy these requirements or the developers deny your request, it is impossible to turn 2FA off and you'll have to create a new account.

Logging in with 2FAEdit

 
Logging in with 2FA

When you log in, after entering your password, you'll be asked for a verification code.

  1. Open your 2FA app and you should see a 6-digit verification code.
  2. Type the verification code in as is (with no spaces), and you should be logged back in
    Because the verification code is time-based, it may change while you're doing this, in which case you'll have to add the latest code instead. The application will normally indicate when a code is about to expire (e.g. in Google Authenticator, the code's colour changes from blue to red).

AutoWikiBrowser and Huggle users need to create a bot password after enabling 2FA. Please see Wikipedia:Using AWB with 2FA and mw:Manual:Huggle/Bot passwords for instructions.

Disabling 2FAEdit

 
Disabling 2FA

If you no longer want to use 2FA, go to Special:Two-factor authentication again and you'll be given the option to disable it. You'll need to enter a 6-digit verification code, just as you would when logging in. After this, 2FA will be turned off on your account.

To change your 2FA app or device, just disable 2FA and then follow the instructions at "Enabling 2FA on smartphones and tablet computers" or "Enabling 2FA on desktop computers" to enable it again.

Known issuesEdit

Multiple devicesEdit

Wikimedia's 2FA system is only designed to be used with one device. If you want to use 2FA on multiple devices, you must register all of your devices at the same time. To add 2FA to an additional device:

  1. Have all of your devices on hand.
  2. If 2FA is already enabled on your account, disable it.
  3. Register all of your devices with the directions at "Enabling 2FA on smartphones and tablet computers" and/or "Enabling 2FA on desktop computers", but don't enter the 6-digit verification code into the Two-factor authentication page until all of your devices are registered.

To remove 2FA from a device, simply remove the Wikipedia entry from your 2FA app. Do not do this unless you have access to 2FA for Wikipedia on another device. To disable 2FA entirely, see "Disabling 2FA".

Clock driftEdit

If your 2FA device's clock becomes too inaccurate, it will generate the wrong verification codes and you will not be able to log in. To prevent this, the 2FA device's clock should be kept reasonably accurate. Most smartphones and computers keep the clock in sync when they are connected to the Internet, and you will most likely not have to do anything as long as your device is online.

More helpEdit

ReferencesEdit

  1. ^ "FreeOTP Authenticator". Google Play.
  2. ^ "FreeOTP". F-Droid.
  3. ^ "‎FreeOTP Authenticator". App Store.
  4. ^ "andOTP - Android OTP Authenticator" – via GitHub.
  5. ^ "andOTP - Android OTP Authenticator". Google Play.
  6. ^ "andOTP". F-Droid.
  7. ^ "Authenticator" – via GitHub.
  8. ^ "‎Authenticator". App Store.
  9. ^ "Google Authenticator". Google Play.
  10. ^ "‎Google Authenticator". App Store.
  11. ^ a b "WinAuth - Portable open-source Authenticator for Windows". WinAuth.
  12. ^ a b "KeeWeb - Free Password Manager Compatible with KeePass". KeeWeb.
  13. ^ "KeeWeb (online web app)". KeeWeb.