Help talk:Two-factor authentication

This is the talk page for discussing improvements to the Two-factor authentication page.

Put new text under old text. Click here to start a new topic. New to Wikipedia? Welcome! Learn to edit; get help. Assume good faith Be polite and avoid personal attacks Be welcoming to newcomers Seek dispute resolution if needed Shortcut WT:2FAWT:2FA

Archives: 1Auto-archiving period: 30 days

Wikipedia Help Mid‑importance

This page is within the scope of the Wikipedia Help Project, a collaborative effort to improve Wikipedia's help documentation for readers and contributors. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. To browse help related resources see the Help Menu or Help Directory. Or ask for help on your talk page and a volunteer will visit you there.Wikipedia HelpWikipedia:Help ProjectTemplate:Wikipedia Help ProjectHelp Mid This page has been rated as Mid-importance on the project's importance scale.

If you have been locked out of your account, you should contact Wikimedia Trust and Safety on cawikimedia.org — we are not able to assist you here.

Hi, I got a new smartphone, so how to scan a new QR code? This seems basic information, and it is not in the help page. Thanks, Yann (talk) 18:43, 16 May 2021 (UTC)[reply]

@Yann: you will need to dis-enroll, then re-enroll. — xaosflux ^Talk 20:49, 16 May 2021 (UTC)[reply]

Assuming you don't have a method with your TOTP client to "transfer" the secrets one way or another. — xaosflux ^Talk 20:49, 16 May 2021 (UTC)[reply]

I'm in a similar situation — I got a new smartphone because the old one died. However, now I see that you cannot dis-enroll the old TOTP without entering the TFA code, which I can no longer do because the old smartphone died. How do I activate TFA on the new phone? — Steven G. Johnson (talk) 22:19, 5 November 2021 (UTC)[reply]

@Stevenj: you can login (looks like you already are) and unenroll from 2FA using your SCRATCH CODES (one time use per each). Then you can just reenroll and set up your new device. — xaosflux ^Talk 22:49, 5 November 2021 (UTC)[reply]

It would be awesome if this were made more clear on the help page itself, this is what I came here looking for and it made me very nervous that I was going to just be screwed and lose access to my account. I'm in the same boat, I had to trade in my phone because the screen broke, so there's no way to get a code from it. (now I have to find the other old device where I recorded the scratch codes....) Beeblebrox (talk) 18:03, 26 April 2022 (UTC)[reply]

@Beeblebrox does Help:Two-factor_authentication#Changing_your_authentication_device help? (The scratch code section has been updated to warn against storing scratch codes somewhere they may be hard to get previously). — xaosflux ^Talk 18:26, 26 April 2022 (UTC)[reply]

What is the purpose for this? It is ironic that they encourage the usage of 2FA yet only allow it for certain users.

What is the drawback for allowing 2FA for everyone? Nothing.

And the fact that you have to request for 2FA is outrageus. You have to request to use 2FA? — Preceding unsigned comment added by H44dyss9900 (talk • contribs) 11:30, 31 May 2021 (UTC)[reply]

There is currently insufficient support resources for mass participation. — xaosflux ^Talk 17:03, 22 September 2021 (UTC)[reply]

Bit of a late reply, but @H44dyss9900:, I believe I read that there were some stability issues with failures in the extension that makes 2FA possible that has necessiated manual removal of it many a time, which is why it's locked to certain users. I hope this helps as well. Regards, User:TheDragonFire300. (Contact me | Contributions). 06:16, 13 February 2022 (UTC)[reply]

Well something should be done about this. Then we should fix the issues with the 2FA plugin.

This problem shouldn't really be glossed over, it's very important to have a functioning 2FA, expecially on Wikipedia. H44dyss9900 (talk) 17:14, 29 April 2022 (UTC)[reply]

I know I'm a bit late to this conversation... it's 2023 now and the trend has swung even further towards MFA. Companies are getting kicked off of cyber insurance policies for having a few things without MFA, making them an unacceptable risk. The idea that one of the most visited websites on the entire internet doesn't ALLOW someone to have MFA, or doesn't have a stable implementation yet, is ridiculous. Not FORCING people to use it is rapidly becoming a huge no-no according to cybersecurity experts. We should be ages past allowing it. T`swift`rocks (talk) 05:10, 16 February 2023 (UTC)[reply]

Long time anonymous reader of Wikipedia, just signed up for an account to maybe dabble in simple editing. I am shocked that this is not available to all accounts in 2023. I don't think I am signed up for any other service that actually doesn't even offer 2FA to the user at all. This is now a fundamental security requirement for anything you log into, just as important (if not more now) than a password. If there are problems with 2FA as stated above, perhaps fixing it should be a priority. That was almost a year ago. Boatvan (talk) 23:36, 15 April 2023 (UTC)[reply]

To make a long story short, I lost access to my authenticator app on my old phone. The good news is that I still have access to my account (obviously), I still have my scratch codes, and I know my committed identity info. So, what's my best option here? Should I disable 2FA and use one of my scratch codes? Or should I try logging into a different browser with a scratch code? Or something else? I'd rather not guess and get locked out. Jauerback^dude?/_dude. 14:42, 22 September 2021 (UTC)[reply]

Looking more into this, it seems like disabling 2FA with a scratch code is the best option, so I don't need to try and enter in 2 scratch codes. Jauerback^dude?/_dude. 15:03, 22 September 2021 (UTC)[reply]

@Jauerback: yes, use a scratch code to disable 2FA, then you can set it up again from "scratch" :D — xaosflux ^Talk 17:02, 22 September 2021 (UTC)[reply]

Xaosflux, thanks for your help. I was able to get it working on my new phone. Jauerback^dude?/_dude. 19:09, 22 September 2021 (UTC)[reply]

Just curious, does 2FA increase the frequency of logins/password challenges? A normal user could potentially click "keep me logged in for 365 days" and not have to log in for a year. –Novem Linguae (talk) 18:34, 8 April 2022 (UTC)[reply]

It's the same. -- zzuuzz ^(talk) 20:06, 8 April 2022 (UTC)[reply]

Currently there is a legacy 2FA app listed as the one called FreeOTP. FreeOTP is years old and hasn't been updated in a long time and has bugs.

I propose AndOTP and Authenticator are moved before FreeOTP. We also potentially could add Aegis Authenticator and Raivo OTP to the list as well. H44dyss9900 (talk) 06:57, 30 April 2022 (UTC)[reply]

Nvm actually the two authenticators I mentioned should be added to https://meta.wikimedia.org/wiki/Help:Two-factor_authentication instead.

But I do think we should put AndOTP and Authenticator before FreeOTP. Even though they are Android/IOS only. H44dyss9900 (talk) 07:03, 30 April 2022 (UTC)[reply]

• So my suggestion is to change this to a table, make the default sort be alphabetical. Include columns: Name, License type, Last version/date, Android link(s), Apple link. Since we have MS Auth on here, prob should also include Google Authenticator too. — xaosflux ^Talk 09:47, 30 April 2022 (UTC)[reply]

• Something like this?

• --Ahecht (TALK
  PAGE) 23:01, 2 May 2022 (UTC)[reply]

  LGTM. — xaosflux ^Talk 23:35, 2 May 2022 (UTC)[reply]

I'm a 2FA user and was just verifying something. The instructions here say to check whether 2FA is enabled at Special:Preferences under "Basic information". My UI has the 2FA feature setting under "User profile"; there is no "Basic information" tab. Maybe the preferences page changed since this was written? ☆ Bri (talk) 20:47, 1 February 2023 (UTC)[reply]

@Bri it was renamed, I changed it to use the system message here. — xaosflux ^Talk 20:52, 1 February 2023 (UTC)[reply]

So, I got a new phone a few months ago. Apparently I should have done something with my 2FA app during the switchover, but here I am: the app is no longer recognizing me. All this has come to a head because in the last few days I got a new laptop, which is asking me for a 2FA to log into WP. So here I sit on the old computer -- which I'm supposed to have handed down to the hubs -- trying to figure out how to avoid not being able to log in next time I'm asked for an authentication code. Anyone have an idea of how I can fix this? I've already been in chat with the authentication app. They'll get back to me in 2 business days. I'm a little concerned that I could be asked to log in and won't be able to, and will have no way to prove to anyone that I am who I say I am. Valereee (talk) 19:47, 10 February 2023 (UTC)[reply]

@Valereee: Did you keep hold of those scratch codes — if so, you can use one when prompted, to remove 2FA from your account before switching over to your new phone. If you didn't hold on to them, you will need to contact Trust and Safety on cawikimedia.org — TheresNoTime (talk • they/them) 00:42, 11 February 2023 (UTC)[reply]

Oh, the scratch codes! I forgot all about them, but yes, I did, in multiple places. Thank you! That relieves my mind greatly lol! Valereee (talk) 13:54, 11 February 2023 (UTC)[reply]

I just encountered Phab:T244088, "Logging in at another wiki than WebAuth was set up fails". It can be worked around (see meta:User:Bri.public/2FA issue), but makes WebAuthn somewhat clumsy. Two questions: 1) is this important enough to note on the help page and 2) does anybody else care? The bug was reported three years ago and is stalled. ☆ Bri (talk) 21:07, 20 February 2023 (UTC)[reply]

Feel free to put more warnings about the problems with WebAuthn in the Help:Two-factor_authentication#WebAuthn section. I don't suggest anyone use it. — xaosflux ^Talk 22:13, 20 February 2023 (UTC)[reply]

I recently activated Two-factor authentication on my account. Now I struggle to sign in on new devices. The message I receive says something about “Authentication process was interrupted. Please start the authentication process agin” is there a way to turn on and off two-factor authentication or restart the authentication process on the account. I’ve tried to turn it off but get the same message.

If I’ve wrote this question on the wrong page please move it the where it belongs. -Bksm (talk) 16:56, 12 July 2023 (UTC)[reply]

Why is Google Authenticator not listed? It is by far the most popular (~1000x the download count of Aegis which is probably the most popular from the current list), it's made by a large company with a reputation of having very good security, it has an online backup option so switching phones is hassle-free. Tgr (talk) 17:37, 13 December 2023 (UTC)[reply]

@Tgr (some discussion in Help talk:Two-factor authentication/Archive 1) - short answer is that for the "recommended" application, a FOSS application was desired. I've added a link to Comparison of OTP applications on the page, that includes many more clients. — xaosflux ^Talk 18:57, 13 December 2023 (UTC)[reply]

As it looks like Microsoft Authenticator has slipped in, I really have no objection to listing GAuth as another example so long as it isn't the 'recommended' one. — xaosflux ^Talk 19:01, 13 December 2023 (UTC)[reply]

Personally I don't think this is the best place for FLOSS advocacy. It's good to have some FLOSS tools in the mix, for the (probably tiny) minority of users who do care about that. But the average editor will be much better served by a tool that has good UX, a cloud backup (so you don't lock yourself out if you lose your phone) and good enough security practices that the cloud backup won't get broken into. I haven't reviewed the list but I'd be surprised if there would be FLOSS tools which meet that bar. Tgr (talk) 07:38, 15 December 2023 (UTC)[reply]

I can vouch for Authy as a much better option than Google Authenticator or most of the listed ones - it allows cloud backups, which means you won't have to deal with the nonsense that often happens when your phone dies or is replaced. It also works on Android, iOS, Mac, Windows and Linux (and syncs between them, so again if you lose your phone its not a problem). I've been using it for a few years now, and had no issues. — Preceding unsigned comment added by The Wordsmith (talk • contribs) 22:11, 18 December 2023 (UTC)[reply]

As above, seems OK to add more that are useful. — xaosflux ^Talk 18:58, 12 January 2024 (UTC)[reply]

Authy's desktop apps will be discontinued in August 2024. I oppose recommending Authy, as it has a highly questionable privacy policy and requires a phone number to sign up. Editors should not be recommended tools that expose much more of their personal information than Wikipedia itself does, particularly when there is a plethora of less intrusive options. — Newslinger talk 20:51, 12 January 2024 (UTC)[reply]