Help talk:Two-factor authentication

This is the talk page for discussing improvements to the Two-factor authentication page.

Put new text under old text. Click here to start a new topic. New to Wikipedia? Welcome! Learn to edit; get help. Assume good faith Be polite and avoid personal attacks Be welcoming to newcomers Seek dispute resolution if needed Shortcut WT:2FAWT:2FA

Archives: 1Auto-archiving period: 30 days

If you have been locked out of your account, you should contact Wikimedia Trust and Safety on cawikimedia.org — we are not able to assist you here.

This help page does not require a rating on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Wikipedia Help Mid‑importance This page is within the scope of the Wikipedia Help Project, a collaborative effort to improve Wikipedia's help documentation for readers and contributors. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. To browse help related resources see the Help Menu or Help Directory. Or ask for help on your talk page and a volunteer will visit you there.Wikipedia HelpWikipedia:Help ProjectTemplate:Wikipedia Help ProjectHelp Mid This page has been rated as Mid-importance on the project's importance scale.

What is the purpose for this? It is ironic that they encourage the usage of 2FA yet only allow it for certain users.

What is the drawback for allowing 2FA for everyone? Nothing.

And the fact that you have to request for 2FA is outrageus. You have to request to use 2FA? — Preceding unsigned comment added by H44dyss9900 (talk • contribs) 11:30, 31 May 2021 (UTC)[reply]

There is currently insufficient support resources for mass participation. — xaosflux ^Talk 17:03, 22 September 2021 (UTC)[reply]

Bit of a late reply, but @H44dyss9900:, I believe I read that there were some stability issues with failures in the extension that makes 2FA possible that has necessiated manual removal of it many a time, which is why it's locked to certain users. I hope this helps as well. Regards, User:TheDragonFire300. (Contact me | Contributions). 06:16, 13 February 2022 (UTC)[reply]

Well something should be done about this. Then we should fix the issues with the 2FA plugin.

This problem shouldn't really be glossed over, it's very important to have a functioning 2FA, expecially on Wikipedia. H44dyss9900 (talk) 17:14, 29 April 2022 (UTC)[reply]

I know I'm a bit late to this conversation... it's 2023 now and the trend has swung even further towards MFA. Companies are getting kicked off of cyber insurance policies for having a few things without MFA, making them an unacceptable risk. The idea that one of the most visited websites on the entire internet doesn't ALLOW someone to have MFA, or doesn't have a stable implementation yet, is ridiculous. Not FORCING people to use it is rapidly becoming a huge no-no according to cybersecurity experts. We should be ages past allowing it. T`swift`rocks (talk) 05:10, 16 February 2023 (UTC)[reply]

Long time anonymous reader of Wikipedia, just signed up for an account to maybe dabble in simple editing. I am shocked that this is not available to all accounts in 2023. I don't think I am signed up for any other service that actually doesn't even offer 2FA to the user at all. This is now a fundamental security requirement for anything you log into, just as important (if not more now) than a password. If there are problems with 2FA as stated above, perhaps fixing it should be a priority. That was almost a year ago. Boatvan (talk) 23:36, 15 April 2023 (UTC)[reply]

I could be wrong and this may have been fixed, but I suspect not as I didn't even find any option for 2FA. It's 2024 and ChatGPT has existed for 2 years already and we literally have a functioning computer <-> brain interface, yet one of the most popular websites on earth can't get a simple TOTP Plugin working. The implementation for TOTP, even if we include the full QR code generator support and backup code generator is so simple you could remember the full code from start to finish from the back of your mind. H44dyss9900 (talk) 11:39, 30 September 2024 (UTC)[reply]

I'd like to add that I had to do an email verification today for logging in to my account. The help article only mentions deleting the associated email address to avoid login verification. I expected that I could just enable TOTP or passkeys to avoid email verification codes, and was surprised to find out 2FA is still not a thing for the general public on Wikipedia. I do like adding a second factor to login, but I don't want email verification, and I'd like to keep my email address associated with my account. So please allow TOTP usage instead of forcing users to receive email verification codes. LukeLR (talk) 14:04, 19 August 2025 (UTC)[reply]

Currently there is a legacy 2FA app listed as the one called FreeOTP. FreeOTP is years old and hasn't been updated in a long time and has bugs.

I propose AndOTP and Authenticator are moved before FreeOTP. We also potentially could add Aegis Authenticator and Raivo OTP to the list as well. H44dyss9900 (talk) 06:57, 30 April 2022 (UTC)[reply]

Nvm actually the two authenticators I mentioned should be added to https://meta.wikimedia.org/wiki/Help:Two-factor_authentication instead.

But I do think we should put AndOTP and Authenticator before FreeOTP. Even though they are Android/IOS only. H44dyss9900 (talk) 07:03, 30 April 2022 (UTC)[reply]

• So my suggestion is to change this to a table, make the default sort be alphabetical. Include columns: Name, License type, Last version/date, Android link(s), Apple link. Since we have MS Auth on here, prob should also include Google Authenticator too. — xaosflux ^Talk 09:47, 30 April 2022 (UTC)[reply]

• Something like this?

• --Ahecht (TALK
  PAGE) 23:01, 2 May 2022 (UTC)[reply]

  LGTM. — xaosflux ^Talk 23:35, 2 May 2022 (UTC)[reply]

  I propose we also include KeepassXC (open source, Linux, Windows, Mac) and KeepassDX (open source, F-Droid, Google Play) as TOTP providers, as they have comfortable bonus features (syncing the keepass database containing the TOTP setup, auto-fill in supported browsers) LukeLR (talk) 14:08, 19 August 2025 (UTC)[reply]

So, I got a new phone a few months ago. Apparently I should have done something with my 2FA app during the switchover, but here I am: the app is no longer recognizing me. All this has come to a head because in the last few days I got a new laptop, which is asking me for a 2FA to log into WP. So here I sit on the old computer -- which I'm supposed to have handed down to the hubs -- trying to figure out how to avoid not being able to log in next time I'm asked for an authentication code. Anyone have an idea of how I can fix this? I've already been in chat with the authentication app. They'll get back to me in 2 business days. I'm a little concerned that I could be asked to log in and won't be able to, and will have no way to prove to anyone that I am who I say I am. Valereee (talk) 19:47, 10 February 2023 (UTC)[reply]

@Valereee: Did you keep hold of those scratch codes — if so, you can use one when prompted, to remove 2FA from your account before switching over to your new phone. If you didn't hold on to them, you will need to contact Trust and Safety on cawikimedia.org — TheresNoTime (talk • they/them) 00:42, 11 February 2023 (UTC)[reply]

Oh, the scratch codes! I forgot all about them, but yes, I did, in multiple places. Thank you! That relieves my mind greatly lol! Valereee (talk) 13:54, 11 February 2023 (UTC)[reply]

I just encountered Phab:T244088, "Logging in at another wiki than WebAuth was set up fails". It can be worked around (see meta:User:Bri.public/2FA issue), but makes WebAuthn somewhat clumsy. Two questions: 1) is this important enough to note on the help page and 2) does anybody else care? The bug was reported three years ago and is stalled. ☆ Bri (talk) 21:07, 20 February 2023 (UTC)[reply]

Feel free to put more warnings about the problems with WebAuthn in the Help:Two-factor_authentication#WebAuthn section. I don't suggest anyone use it. — xaosflux ^Talk 22:13, 20 February 2023 (UTC)[reply]

I recently activated Two-factor authentication on my account. Now I struggle to sign in on new devices. The message I receive says something about “Authentication process was interrupted. Please start the authentication process agin” is there a way to turn on and off two-factor authentication or restart the authentication process on the account. I’ve tried to turn it off but get the same message.

If I’ve wrote this question on the wrong page please move it the where it belongs. -Bksm (talk) 16:56, 12 July 2023 (UTC)[reply]

Why is Google Authenticator not listed? It is by far the most popular (~1000x the download count of Aegis which is probably the most popular from the current list), it's made by a large company with a reputation of having very good security, it has an online backup option so switching phones is hassle-free. Tgr (talk) 17:37, 13 December 2023 (UTC)[reply]

@Tgr (some discussion in Help talk:Two-factor authentication/Archive 1) - short answer is that for the "recommended" application, a FOSS application was desired. I've added a link to Comparison of OTP applications on the page, that includes many more clients. — xaosflux ^Talk 18:57, 13 December 2023 (UTC)[reply]

As it looks like Microsoft Authenticator has slipped in, I really have no objection to listing GAuth as another example so long as it isn't the 'recommended' one. — xaosflux ^Talk 19:01, 13 December 2023 (UTC)[reply]

Personally I don't think this is the best place for FLOSS advocacy. It's good to have some FLOSS tools in the mix, for the (probably tiny) minority of users who do care about that. But the average editor will be much better served by a tool that has good UX, a cloud backup (so you don't lock yourself out if you lose your phone) and good enough security practices that the cloud backup won't get broken into. I haven't reviewed the list but I'd be surprised if there would be FLOSS tools which meet that bar. Tgr (talk) 07:38, 15 December 2023 (UTC)[reply]

I can vouch for Authy as a much better option than Google Authenticator or most of the listed ones - it allows cloud backups, which means you won't have to deal with the nonsense that often happens when your phone dies or is replaced. It also works on Android, iOS, Mac, Windows and Linux (and syncs between them, so again if you lose your phone its not a problem). I've been using it for a few years now, and had no issues. — Preceding unsigned comment added by The Wordsmith (talk • contribs) 22:11, 18 December 2023 (UTC)[reply]

As above, seems OK to add more that are useful. — xaosflux ^Talk 18:58, 12 January 2024 (UTC)[reply]

Authy's desktop apps will be discontinued in August 2024. I oppose recommending Authy, as it has a highly questionable privacy policy and requires a phone number to sign up. Editors should not be recommended tools that expose much more of their personal information than Wikipedia itself does, particularly when there is a plethora of less intrusive options. — Newslinger talk 20:51, 12 January 2024 (UTC)[reply]

Authy gets a grade B on tosdr (which is not too bad, Wikipedia also gets a grade B) and at a glance doesn't seem to be doing anything surprising or untoward with personal data. Tgr (talk) 17:56, 13 January 2024 (UTC)[reply]

It's not clear to me how Terms of Service; Didn't Read grades these policies, but even the their summary of Authy's privacy policy shows many more issues than their summary of Wikimedia's privacy policy. Here are some of the issues ToS;DR lists that are unique to Authy:

• Tracking via third-party cookies for advertising
• The service can sell or otherwise transfer your personal data as part of a bankruptcy proceeding or other type of financial transaction
• This service gives your personal data to third parties involved in its operation
• You must provide your legal name, pseudonyms are not allowed

What ToS;DR completely misses (due to not being in its scope) is the fact that 2FA apps are very simple software products that do not need to collect any information from users other than the keys required to generate the verification codes. The following items that Authy collects (per Authy's privacy policy) are unnecessary for a 2FA service:

• Phone number
  • "We use that phone number to identify you, to provide you 2FA services, and to maintain logs for security and anti-fraud purposes."
  • "If you change your phone number or email associated with your Authy account, we will also keep a log of that."
• Login history, IP address history
  • "When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application you logged in to, that you logged in, and when. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if we suspect your account may be compromised."
• Location history
  • "If you have location services turned on, we collect your location based on your IP address. We use this information for anti-fraud purposes, to check for suspicious activity and, again, as another piece of information we can use to verify your identity if we suspect your account may be compromised."

There are many 2FA apps that do not collect any of this personal information or share any data with third parties. 2FA apps do not need to monitor users for "anti-fraud purposes" to do their job. Authy collects too much data, which puts users at additional risk when there is a security incident like Authy's data breach in 2022. That is why I oppose recommending Authy. — Newslinger talk 19:29, 13 January 2024 (UTC)[reply]

It's not hard to see how these pieces of information could be useful for 2FA - the phone can be used as a fallback identification method in case of suspected account takeover, and the IP and location history can be used to detect such a takeover. Storing that data isn't that bad IMO as long as the data is not sold, and only passed to service providers who are under contractual restrictions to likewise not sell it (which seems to be the case).

The data breach is bad (AIUI it wasn't primarily about personal information, the attackers stole credentials that could be used to generate 2FA codes); this is a tradeoff in using a cloud service vs. a 2FA tool that isn't backed up. In the first case you risk your credentials getting stolen in ways you have no control over, in the second case you risk getting locked out of your account when you lose your device. Neither is ideal but IMO for the average user getting locked out is a bigger risk and has worse consequences. If you are a checkuser or interface admin, you might want to weigh the security side of the tradeoff higher.

(Then again if you use a strong unique password, even a stolen 2FA seed isn't really exploitable.)

To be clear I'm not arguing for Authy (I haven't done any research on it, nor the alternatives) but none of this sounds instantly disqualifying to me. Although in general I think larger options (like Google or Microsoft) are safer - such huge companies tend to spend more on security. Tgr (talk) 05:51, 16 January 2024 (UTC)[reply]

The articles states "Any editor can improve their account security by using 2FA". It also says that "If you are not in [a group that has automatic access to 2FA], you need to submit a request". The issue is the page where you make a request is a semi-protected page on meta.wikimedia.org, so only users who have at least 5 edits on meta.wikimedia.org (not wikipedia) can make a request. The Elysian Vector Fields (talk) 02:30, 16 March 2024 (UTC)[reply]

Users without autoconfirmed status on Meta can request on the talk page (as you have done). That could be added to this help page. -- Ajraddatz (talk) 03:04, 17 March 2024 (UTC)[reply]

There is currently an RfC on VPR that will decide whether more user groups should have access to 2FA without requesting it at Meta. You are invited to comment there. Nickps (talk) 01:04, 7 March 2025 (UTC)[reply]

(copied from my talk). Hi, xaosflux! Recently, we fully updated ja:H:2FA to meet to new 2FA system. If you need, please refer it to update en:H:2FA. --T4NeGMp7P4en (talk) 15:33, 30 October 2025 (UTC)[reply]

I'm an infrequent editor. Today I wanted to edit Wikipedia from a different browser/computer combination than I've previously used. When I logged in, I was told (not a verbatim transcript here) that since I had not logged in on this device recently, I would receive an email with a verification code that I would need to complete my login.

I don't remember needing to do this before. This is two-factor authentication, right? I'm quite sure I didn't do anything to choose to enable 2FA. Have things changed recently? Is it time to update this wiki-page? Bsammon (talk) 21:19, 4 November 2025 (UTC)[reply]

Okay... I'm realizing that this article is about a specific kind/category of 2FA, but I'm pretty sure what I experienced qualified as 2FA also. The 2FA I experienced -- I did not find any (wikipedia/wikimedia-specific) documentation on it. Anyone got any details/links? Bsammon (talk) 21:54, 4 November 2025 (UTC)[reply]

@Bsammon:. This is an additional security measure, introduced some time earlier this year. I can point you to mw:Help:Extension:EmailAuth. -- zzuuzz ^(talk) 22:02, 4 November 2025 (UTC)[reply]

Ah yeah... I was just composing a comment to the effect that I should have scrolled to the bottom of the 2FA email I received, where it includes a link to that extension's page.

However, I didn't find much documentation about its usage on Wikipedia, and what I did find seems to be sysop-level stuff like https://wikitech.wikimedia.org/wiki/EmailAuth

I'd like to add a brief preface to this page, explaining that this other form of 2FA is in use on Wikipedia, it affects all(/most?) editors, and editors cannot opt-in/opt-out (they can delete their email address from their profile, but I'm not sure if/how I'd mention that)

Opinions? Bsammon (talk) 22:19, 4 November 2025 (UTC)[reply]

This page is an already-hard-to-understand topic, so I think it's probably preferable not involve too many adjacent things. On the other hand, some sort of hatnote might be helpful for the confusion you experienced. Announcements about security issues are probably going to be hard to find - I can't recall seeing anything specific. There might be something though. If you want to go looking, maybe start at Wikipedia:Wikipedia_Signpost/2025-04-09/News_and_notes; it all probably followed that incident. But if you want to try and add something, try WP:BOLD. -- zzuuzz ^(talk) 22:32, 4 November 2025 (UTC)[reply]

all ~2025-32237-64 (talk) 02:43, 9 November 2025 (UTC)[reply]