Help talk:Two-factor authentication

This is the talk page for discussing improvements to the Two-factor authentication page.

Put new text under old text. Click here to start a new topic. New to Wikipedia? Welcome! Learn to edit; get help. Assume good faith Be polite and avoid personal attacks Be welcoming to newcomers Seek dispute resolution if needed Shortcut WT:2FAWT:2FA

Archives: 1Auto-archiving period: 30 days

Wikipedia Help Mid‑importance

This page is within the scope of the Wikipedia Help Project, a collaborative effort to improve Wikipedia's help documentation for readers and contributors. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. To browse help related resources see the Help Menu or Help Directory. Or ask for help on your talk page and a volunteer will visit you there.Wikipedia HelpWikipedia:Help ProjectTemplate:Wikipedia Help ProjectHelp Mid This page has been rated as Mid-importance on the project's importance scale.

If you have been locked out of your account, you should contact Wikimedia Trust and Safety on cawikimedia.org — we are not able to assist you here.

Is there a 2FA app that runs with iOS? The one listed in the article (Authenticator app) requires iOS 12.2 or later. Surely there is an alternative. Hawkeye7 (discuss) 03:17, 13 May 2021 (UTC)[reply]

Hi, I got a new smartphone, so how to scan a new QR code? This seems basic information, and it is not in the help page. Thanks, Yann (talk) 18:43, 16 May 2021 (UTC)[reply]

@Yann: you will need to dis-enroll, then re-enroll. — xaosflux ^Talk 20:49, 16 May 2021 (UTC)[reply]

Assuming you don't have a method with your TOTP client to "transfer" the secrets one way or another. — xaosflux ^Talk 20:49, 16 May 2021 (UTC)[reply]

I'm in a similar situation — I got a new smartphone because the old one died. However, now I see that you cannot dis-enroll the old TOTP without entering the TFA code, which I can no longer do because the old smartphone died. How do I activate TFA on the new phone? — Steven G. Johnson (talk) 22:19, 5 November 2021 (UTC)[reply]

@Stevenj: you can login (looks like you already are) and unenroll from 2FA using your SCRATCH CODES (one time use per each). Then you can just reenroll and set up your new device. — xaosflux ^Talk 22:49, 5 November 2021 (UTC)[reply]

It would be awesome if this were made more clear on the help page itself, this is what I came here looking for and it made me very nervous that I was going to just be screwed and lose access to my account. I'm in the same boat, I had to trade in my phone because the screen broke, so there's no way to get a code from it. (now I have to find the other old device where I recorded the scratch codes....) Beeblebrox (talk) 18:03, 26 April 2022 (UTC)[reply]

@Beeblebrox does Help:Two-factor_authentication#Changing_your_authentication_device help? (The scratch code section has been updated to warn against storing scratch codes somewhere they may be hard to get previously). — xaosflux ^Talk 18:26, 26 April 2022 (UTC)[reply]

It seems pretty good. Doug Weller talk 18:58, 18 May 2021 (UTC)[reply]

@Doug Weller: I think this page grew from the "Simple" version of the help when less was more, Authy is listed at meta:Help:Two-factor_authentication - you could improve this with a list of other clients if you think it will help, though I suggest you declare the ones that are closed source as such. — xaosflux ^Talk 20:26, 18 May 2021 (UTC)[reply]

I ask because authy claims to "allow you to backup and sync your 2FA account tokens across multiple device and device types - phones, tablets and computers."[1]. If so, how do I switch from my current authenticator to authy? Disable 2FA first? Thanks. Doug Weller talk 19:09, 22 May 2021 (UTC)[reply]

@Doug Weller: you may set up multiple authentication clients, they have no knowledge of each other. Enrolling a client requires the initial secret - some clients will allow this to be shared back out; but if you need a new initial secret from us you will need to disable and re-enroll to generate it. — xaosflux ^Talk 19:38, 22 May 2021 (UTC)[reply]

@Xaosflux: thanks, I still have the initial secret. Are you saying I could, for instance, use two clients from my PC, each using my intial secret? If so there's nothing to stop me from experimenting with authy's claim to sync, I can just set it up with the initial secret on my PC and see if it syncs with my other devices registered with authy. Doug Weller talk 10:51, 23 May 2021 (UTC)[reply]

@Doug Weller: yes, for example with the initial secret I have 2 TOTP clients set up, one on a secure computer and one on a smartphone. There is no direct client<-->server communication in this, the only things the client uses is the initial secret and the time (i.e. there is no client key that is used with the server). That being said, the initial secret is quite vulnerable which is why it is suggested you don't actually store it. You can verify that your second client is working because it will be producing the exact same TOTP code as your first one. — xaosflux ^Talk 12:52, 23 May 2021 (UTC)[reply]

@Xaosflux: that's extremely helpful. Do I just set the one on my smartphone up the way I set up the one on my PC? And out of curiousity, which do you use? I'm replacing my hard disk Tuesday so I'll be starting fresh with no software except Word and Windows 10. Doug Weller talk 15:46, 23 May 2021 (UTC)[reply]

@Doug Weller: "how" you set them up is specific to the client, some want you to scan the QR code, some want you to type in the initial secret - that part is specific to each client. I've tried several the easiest ones were probably: On Android- Google Authenticator; On Windows- WinAuth. — xaosflux ^Talk 00:52, 24 May 2021 (UTC)[reply]

@Xaosflux: thanks, I'll try Google authenticator on my phone, keep Winauth on my PC. Doug Weller talk 13:25, 24 May 2021 (UTC)[reply]

What is the purpose for this? It is ironic that they encourage the usage of 2FA yet only allow it for certain users.

What is the drawback for allowing 2FA for everyone? Nothing.

And the fact that you have to request for 2FA is outrageus. You have to request to use 2FA? — Preceding unsigned comment added by H44dyss9900 (talk • contribs) 11:30, 31 May 2021 (UTC)[reply]

There is currently insufficient support resources for mass participation. — xaosflux ^Talk 17:03, 22 September 2021 (UTC)[reply]

Bit of a late reply, but @H44dyss9900:, I believe I read that there were some stability issues with failures in the extension that makes 2FA possible that has necessiated manual removal of it many a time, which is why it's locked to certain users. I hope this helps as well. Regards, User:TheDragonFire300. (Contact me | Contributions). 06:16, 13 February 2022 (UTC)[reply]

Well something should be done about this. Then we should fix the issues with the 2FA plugin.

This problem shouldn't really be glossed over, it's very important to have a functioning 2FA, expecially on Wikipedia. H44dyss9900 (talk) 17:14, 29 April 2022 (UTC)[reply]

To make a long story short, I lost access to my authenticator app on my old phone. The good news is that I still have access to my account (obviously), I still have my scratch codes, and I know my committed identity info. So, what's my best option here? Should I disable 2FA and use one of my scratch codes? Or should I try logging into a different browser with a scratch code? Or something else? I'd rather not guess and get locked out. Jauerback^dude?/_dude. 14:42, 22 September 2021 (UTC)[reply]

Looking more into this, it seems like disabling 2FA with a scratch code is the best option, so I don't need to try and enter in 2 scratch codes. Jauerback^dude?/_dude. 15:03, 22 September 2021 (UTC)[reply]

@Jauerback: yes, use a scratch code to disable 2FA, then you can set it up again from "scratch" :D — xaosflux ^Talk 17:02, 22 September 2021 (UTC)[reply]

Xaosflux, thanks for your help. I was able to get it working on my new phone. Jauerback^dude?/_dude. 19:09, 22 September 2021 (UTC)[reply]

Just curious, does 2FA increase the frequency of logins/password challenges? A normal user could potentially click "keep me logged in for 365 days" and not have to log in for a year. –Novem Linguae (talk) 18:34, 8 April 2022 (UTC)[reply]

It's the same. -- zzuuzz ^(talk) 20:06, 8 April 2022 (UTC)[reply]

Currently there is a legacy 2FA app listed as the one called FreeOTP. FreeOTP is years old and hasn't been updated in a long time and has bugs.

I propose AndOTP and Authenticator are moved before FreeOTP. We also potentially could add Aegis Authenticator and Raivo OTP to the list as well. H44dyss9900 (talk) 06:57, 30 April 2022 (UTC)[reply]

Nvm actually the two authenticators I mentioned should be added to https://meta.wikimedia.org/wiki/Help:Two-factor_authentication instead.

But I do think we should put AndOTP and Authenticator before FreeOTP. Even though they are Android/IOS only. H44dyss9900 (talk) 07:03, 30 April 2022 (UTC)[reply]

• So my suggestion is to change this to a table, make the default sort be alphabetical. Include columns: Name, License type, Last version/date, Android link(s), Apple link. Since we have MS Auth on here, prob should also include Google Authenticator too. — xaosflux ^Talk 09:47, 30 April 2022 (UTC)[reply]

• Something like this?

• --Ahecht (TALK
  PAGE) 23:01, 2 May 2022 (UTC)[reply]

  LGTM. — xaosflux ^Talk 23:35, 2 May 2022 (UTC)[reply]

I'm a 2FA user and was just verifying something. The instructions here say to check whether 2FA is enabled at Special:Preferences under "Basic information". My UI has the 2FA feature setting under "User profile"; there is no "Basic information" tab. Maybe the preferences page changed since this was written? ☆ Bri (talk) 20:47, 1 February 2023 (UTC)[reply]

@Bri it was renamed, I changed it to use the system message here. — xaosflux ^Talk 20:52, 1 February 2023 (UTC)[reply]

So, I got a new phone a few months ago. Apparently I should have done something with my 2FA app during the switchover, but here I am: the app is no longer recognizing me. All this has come to a head because in the last few days I got a new laptop, which is asking me for a 2FA to log into WP. So here I sit on the old computer -- which I'm supposed to have handed down to the hubs -- trying to figure out how to avoid not being able to log in next time I'm asked for an authentication code. Anyone have an idea of how I can fix this? I've already been in chat with the authentication app. They'll get back to me in 2 business days. I'm a little concerned that I could be asked to log in and won't be able to, and will have no way to prove to anyone that I am who I say I am. Valereee (talk) 19:47, 10 February 2023 (UTC)[reply]

@Valereee: Did you keep hold of those scratch codes — if so, you can use one when prompted, to remove 2FA from your account before switching over to your new phone. If you didn't hold on to them, you will need to contact Trust and Safety on cawikimedia.org — TheresNoTime (talk • they/them) 00:42, 11 February 2023 (UTC)[reply]

Oh, the scratch codes! I forgot all about them, but yes, I did, in multiple places. Thank you! That relieves my mind greatly lol! Valereee (talk) 13:54, 11 February 2023 (UTC)[reply]