Help:Two-factor authentication

From Wikitech
Jump to navigation Jump to search

Wikitech LDAP accounts can be protected with two-factor authentication (TFA or 2FA) provided by the MediaWiki OATHAuth extension. It provides two-factor authentication via something you have (your phone or desktop client) and something you know (your user name/password).


First, you'll need a client application to store the two-factor authentication token and generate codes. Typically these are smartphone apps, but desktop clients are also available:

  • FreeOTP (free and open source, maintained by Red Hat) – Android and iOS
  • Google Authenticator (no longer open source) – Android and iOS
  • oathtool (command line)

It is important to remember that you will need this device with you whenever you need to login.


OATHAuth enable link.png

All Wikitech LDAP accounts are eligible for two-factor authentication protection. You will see a link in your preferences to enable it. Clicking on the link will display a QR code and a text code. Most smartphone apps will use the camera to scan the QR code, and automatically add the entry for the account to the list.

Scratch codes

The special page will also list five emergency "scratch codes" that can be used if you lose your phone. Each code can only be used one time and will only be displayed at the time that you enable two-factor authentication. If you need to get new codes, you can disable and then re-enable 2FA.

See also