Help talk:Two-factor authentication/Archive 1

This is an archive of past discussions about Help:Two-factor authentication. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

1. If I set this up using a smartphone, do I need to use the phone every time I log in?
2. If so, does it have to be the same phone?
3. If I opt in to this, and decide it's too much hassle, can I opt out again?

I should point out that I use a very strong password, unique to WP, but in the light of further hacking today I'm willing to consider further security. Optimist on the run (talk) 22:38, 16 November 2016 (UTC)

Optimist on the run answers below. — xaosflux ^Talk 22:48, 16 November 2016 (UTC)

1. You have to use it anytime you are currently prompted for a password, you will also need the code. If you "remember me" on a computer and don't need a password each time, you won't need this each time - unless you do something like try to change your email or password.
2. You can register MULTIPLE phones - they will all produce the same code.
3. You can unenroll whenever you want right now.

— xaosflux ^Talk 22:48, 16 November 2016 (UTC)

Can we please not encourage use of Google Authenticator? First, there are better authenticators available, mainly with features like syncing or backup. (Who wants to deal with the hell when users update their phones and Google Authenticator no longer opens or cannot import the content?) Second, don't we support free and open solutions? For iOS there is an app made by Fedora people. I'd even put Authy before GA for its functionality. I used GA for a while because it helped popularize the use of 2FA but enlightened upon deciding to search for alternatives that many others are head of the curve. If GA needs to be listed, let's suggest it third.  czar 17:06, 16 November 2016 (UTC)

I wrote about Google Authenticator because it's the only thing I tried and hence all I know how to write up. If you know how to make this work with another device, add it to the document. I share Linus Torvalds' view on open-source solutions, which is use them if they work for you, and don't use them if they don't. As the ha-ha-only-serious page Wikipedia:WikiSpeak says, "Ogg Vorbis : An audio file format. It is not supported by most commonly used audio software and is unheard of by anyone other than extreme free software nerds, and therefore has been adopted as the standard audio format for Wikipedia." Couldn't have put it better myself :-) PS: around here, "GA" means Good Article, watch your acronyms! Ritchie333 ^{(talk) (cont)} 17:13, 16 November 2016 (UTC)

2FA secrets should never be backed up: that defeats the idea of 2FA, which is that being able to generate a valid code proves you have physical possession of the phone. Instead of backing up the app contents, you should save an offline copy of the recovery codes shown at enrollment time. Those let you turn off 2FA by entering a recovery code. 50.0.136.56 (talk) 06:50, 18 November 2016 (UTC)

Seems to me that this would be a good idea to have a userbox for. I've never created one before, but I took a stab at making it, anyway. So, here's an initial attempt. If everyone hates the idea, it can die here. Jauerback^dude?/_dude. 13:04, 17 November 2016 (UTC)

@Jauerback: Noooooooooooo, I created {{User 2FA}} a little while back - yours looks nicer though, feel free to replace the code (though please keep the category) -- samtar ^{talk or stalk} 13:10, 17 November 2016 (UTC)

No that's ok, yours is fine. I didn't realize one already existed. Jauerback^dude?/_dude. 13:33, 17 November 2016 (UTC)

I don't see an obvious practical exploit, but this box seems to give away info to attackers unnecessarily. They should not be able to tell whether someone has 2FA enabled or not. I'd also get rid of the category. 50.0.136.56 (talk) 06:57, 18 November 2016 (UTC)

@.56: This crossed my mind - however there is no real advantage gained for the attacker from knowing if an account was using 2FA, other than to perhaps exclude them from brute force attacks or if an exploit with the 2FA system is found -- samtar ^{talk or stalk} 08:13, 18 November 2016 (UTC)

I agree with '56, I wouldn't put this userbox on my page per WP:BEANS. Ritchie333 ^{(talk) (cont)} 12:41, 18 November 2016 (UTC)

Valid point, but I would assume most hackers would go for an account with less security. Then again, BEANS does exist for a reason. Jauerback^dude?/_dude. 15:29, 18 November 2016 (UTC)

I still feel the same way as before (of course it's even more important to avoid identifying accounts that don't use 2FA) but I changed the userbox contents to Jauerback's version, per Samtar's comment that it looks nicer (I also think it looks nicer). 50.0.136.56 (talk) 00:49, 19 November 2016 (UTC)

This page should be converted from WP:ESSAY to a help page. 50.0.136.56 (talk) 07:07, 18 November 2016 (UTC)

I would hope that's the long-term aim, but I wanted to wait until the page was a bit more mature first, with examples supplied by several editors. I'd quite like it to eventually usurp the "official" WP:2FA page, which is a soft redirect at the moment. Ritchie333 ^{(talk) (cont)} 12:40, 18 November 2016 (UTC)

Sounds good. The page should hopefully become pretty foolproof by the time 2FA is made available to all accounts. A lot of people will want to refer to the page then. 50.0.136.56 (talk) 00:51, 19 November 2016 (UTC)

Can we ask for some outside review of this page from non-technical editors? We contributors are all too caught up in it to have good judgment about whether it serves its purpose as well as it could. I thought of a few people to ping but maybe it can be done more formally. The review request shouldn't be to "sell" 2FA, but just to get opinions on whether the page is readable and not too long-winded. It can include non-admins even though only admins can currently activate 2FA. Thoughts are welcome. 50.0.136.56 (talk) 00:42, 19 November 2016 (UTC)

User:Bishonen, can you take a look at the page and post any comments here? I'm not asking you to activate 2FA (that's entirely up to you) but just to let us know if the page makes it comprehensible or what improvements it needs. I thought of you because I remember your post in the AN thread about the topic being unclear. Maybe this makes it better--let us know. Thanks. 50.0.136.56 (talk) 05:36, 20 November 2016 (UTC)

User:Bishonen - repeating ping attempt since the one above might have failed from a typo I made. 50.0.136.56 (talk) 05:37, 20 November 2016 (UTC)

Oh, you don't have to explain why you chose me as a good example of a non-technical editor! :-) (You're quite right about that, though I can do a few unexpected things, such as block IPv6 ranges.) Thanks for asking. I have two questions:

1. The assumption that everybody has and uses a smartphone is worrying for me. I know it's incredible, but I don't use one; I can't get comfortable with them. The implication on the page seems to be that it will be a pest, every time, to use 2FA from a desktop computer. Is that right?

A: You have to use 2FA any time you currently have currently enter your password. So if you use a desktop and normally "keep me logged in" you don't have to use it each time from that computer. — xaosflux ^Talk 06:00, 20 November 2016 (UTC)

Ahh... yes, Xaosflux... I essentially do use "keep me logged in", but (blushes) I still log in and out quite a bit. Compare [1]. Bishonen | talk 06:17, 20 November 2016 (UTC).

A possible ease of use for your use case would be to use multiple browser, or private browsing sessions for your alt accounts. On my normal desktop, I use one browser for most of my use, but if I need to log in as a test user or say my bot account, I use a private browsing session or another browser - that way I can stay logged in. Not "flawless" but it could help you. — xaosflux ^Talk 16:13, 20 November 2016 (UTC)

2. Do I need 2FA, if I have a strong password which I don't use anywhere else, and nobody outside my highly reliable family gets near my computer? I heard on the grapevine that those admin accounts were able to be hacked because they used the same password somewhere else (a mailing list?). Is that true? Bishonen | talk 05:54, 20 November 2016 (UTC).

Thanks for the comments and no worries about the smartphone, I don't use one either. Re your questions:

1) Using 2FA on a desktop shouldn't be much different than using it on a phone. You launch the program and then there's a window showing a 6 digit number that changes once a minute, that you enter along with your password. I haven't used the Windows program mentioned but you might even be able to make the window real small and leave it on your screen, or put it in one of the taskbar indicators like the date/time display, so you don't even have to click anything to use it.

2) I think you are reasonably safe with what you describe. What seems to have happened is various people used the same username/password on Wikipedia and some site XYZ, then XYZ got compromised and all of its usernames and passwords spilled, and then the attacker tried the XYZ usernames/passwords on Wikipedia and a lot of them worked (or they might have inferred usernames from email addresses, or whatever). I don't know what XYZ was, but that's a common attack that has happened to many sites (I remember some Adobe.com site spilling millions of passwords a few years ago). I just generate random distinct passwords for everything and store them in the browser password vault, so I don't actually know any of my own passwords.

We should improve the documentation about the Windows desktop token, and add them for Mac and Linux. 50.0.136.56 (talk) 06:16, 20 November 2016 (UTC)

OK, thanks. What's that "browser password vault"? I want one! Bishonen | talk 06:20, 20 November 2016 (UTC).

It's just a feature in browsers where the browser offers to remember different passwords for you, and it can encrypt the collection under a master password that you enter when you launch the browser (so that's just one password to remember). In Firefox you can turn it on by going to Preferences -> Security and checking "Remember logins for sites". There's something similar in Chrome but I don't know how to operate it. 50.0.136.56 (talk) 06:24, 20 November 2016 (UTC)

I'll be away for a few days but others here or on WP:RDC should be able to handle further questions/issues. Bye for now. 50.0.136.56 (talk) 07:00, 20 November 2016 (UTC)

"We should improve the documentation about the Windows desktop token, and add them for Mac and Linux." Couldn't agree more, and the only reason I personally haven't done it is because I haven't tried it, and as I seem to be a bit of an Apple fanboy, I don't use Windows software unless forced to at gunpoint (or just use Wine). However, if nobody else is prepared to improve the non-smartphone documentation, I guess muggins here will give it a go. Ritchie333 ^{(talk) (cont)} 14:06, 21 November 2016 (UTC)

Good ol' muggins - tell you what, I'll work on the Windows aspect and let you deal with the widely loved Apple product. Linux is going to be nice and easy, because I'm sure there's hundreds of TOTP clients and it's safe to assume Linux users are at least somewhat technical -- samtar ^{talk or stalk} 14:31, 21 November 2016 (UTC)

• Page says However, because the key is time-based, it may change while you're doing this, in which case you'll have to add the latest key instead.

Could someone with 2FA test that and possibly update the doc? Log in with 2FA, wait for the code to flip over to a new one, and then enter the old code a few seconds later? Servers generally allow some leeway in the timing to deal with this situation, and also to handle slight timekeeping discrepancies between the server and the 2FA device. But I don't want to change the document unless it's been tested. 50.0.136.56 (talk) 07:15, 18 November 2016 (UTC)

Tested, and given my understanding of TOTP the old code should invalidate the moment a new code is generated. I imagine there is a slight leeway, though not enough for me to get in on an old code -- samtar ^{talk or stalk} 08:16, 18 November 2016 (UTC)

Can you confirm, you entered the old code a few seconds after the code flipped, and you couldn't log in? I'd report that as a bug. You should get a decent size window, maybe as much as half a minute (using a code from yesterday should of course fail). The hardware tokens in the picture are basically cheap digital watches with different packaging and firmware. So their clocks drift by as much as a few seconds per week. Server-side software is supposed to allow for that, partly by tracking the amount of drift for a given token. 50.0.136.56 (talk) 17:04, 18 November 2016 (UTC)

I've had a look now - the code on Google Authenticator is normally blue, but changes to red immediately before the key expires and changes. Ritchie333 ^{(talk) (cont)} 14:12, 21 November 2016 (UTC)

The technical answer is that at any moment, the current code, the four codes before and the four codes after will be accepted, unless they have been used before. This is to account for clock divergence between client and server as well as input errors and submitting right at the moment where the generator will rotate to the next key. Users shouldn't have to worry about that. —TheDJ (talk • contribs) 11:19, 22 November 2016 (UTC)

The text above the list of codes says "... If you lose your phone, these tokens are the only way to rescue your account. ...".

How does that apply to those of us who do not have a phone?

Robin Patterson (talk) 20:12, 5 March 2017 (UTC)

This is the "simple" guide - it equally applied to "if you lose all of your OTAP authentication mechanisms". — xaosflux ^Talk 04:51, 16 July 2017 (UTC)

I need to add WP to a new authenticator app. Roger (Dodger67) (talk) 21:44, 30 August 2017 (UTC)

@Dodger67: this is not currently available. See phab:T172079. Options are: (1) Use the "two-factor secret key" you first were given, if you recorded it. (2) Un-enroll and re-enroll. — xaosflux ^Talk 23:09, 30 August 2017 (UTC)

@Dodger67: fix ping. — xaosflux ^Talk 23:10, 30 August 2017 (UTC)

I'm happy using winauth on Windows but what do I do if I'm away from it? Thanks. Doug Weller talk 17:21, 14 November 2017 (UTC)

@Doug Weller: using the original code presented during enrollment (you can get a new one by unenrolling and re-enrolling) you may create as many authentication devices as you would like. I use 2 different ones. — xaosflux ^Talk 18:20, 14 November 2017 (UTC)

@Xaosflux:, Thanks, I want clear enough. I don’t know how to set up any of the possible apps to the point where I’d use that code. Do you mean the secret code? Doug Weller talk 18:41, 14 November 2017 (UTC)

I use Google Authenticator. You can install it with these directions. When you first activate 2FA you get an enrollment code for you account. You can tell if it is working with multiple devices as they will all show the same code at the same time. — xaosflux ^Talk 18:56, 14 November 2017 (UTC)

@Xaosflux: Thanks. It took me a while to recall that my account name was with my secret code. Maybe the instructions on this page could be a bit more dummy oriented! Doug Weller talk 16:48, 17 November 2017 (UTC)

• required for interface administrators, checkusers, and oversighters, among others. I don't believe this is accurate, per WTT's comment here. Should this be changed?
• Is there some reason that we have a picture of a QR code linked to someone's (now-deleted) Google+ profile? QR codes have easily enough redundancy to make this one readable. GoldenRing (talk) 11:55, 26 March 2019 (UTC)

  I thought checkusers and oversighters required 2FA because they were listed under :m:Help:Two-factor authentication § Mandatory use user groups. Is this limited to Meta-Wiki? In any case, I've removed these two from the list of groups where 2FA is required, as the list doesn't need to be exhaustive. The QR code image was there from before, and I've also removed it because it was redundant with the phone scan image. Thanks for your feedback. ​— Newslinger talk 16:17, 26 March 2019 (UTC)

@Newslinger: I'm following up on that - I think it is just wrong on meta as well. — xaosflux ^Talk 22:52, 26 March 2019 (UTC)

It was added by a random user on Meta. It isn't correct. Only stewards and interface admins require 2FA. -- Ajraddatz (talk) 22:55, 26 March 2019 (UTC)

Thanks for discovering the issue and fixing the source page. — Newslinger talk 06:45, 27 March 2019 (UTC)

1. What is the equivalent Macintosh program to winauth?
2. Is it possible to generate additional emergency keys, or can this be done only by disabling and then re-enabling? DGG ( talk ) 17:32, 17 November 2017 (UTC)

• @DGG: you could try oathtool command line for mac desktop, I'm not finding a good gui based one for free. To get new scratch codes you need to unenroll and reenroll. — xaosflux ^Talk 02:44, 18 November 2017 (UTC)
• A bit late here, but try using KeeWeb, which should work with macOS. The new instructions are at WP:2FA § KeeWeb (Windows, macOS, Linux, online). Please let me know if the instructions are confusing or unclear. ​— Newslinger talk 23:08, 30 March 2019 (UTC)

I am glad to see that 2FA is being brought to Wikipedia. However, why is it limited to users with advanced permissions? Why not provide everyone with the option to further secure their accounts? I ask, because I've been looking for this since 2014. Thanks! Tony Tan · talk 05:11, 22 November 2016 (UTC)

The plan is to make it available to all editors, it just is getting rolled out in phases - and appears to have been fast tracked due to the recent account hacks. — xaosflux ^Talk 05:12, 22 November 2016 (UTC)

If you really really want it now, you can ask a steward to add you to the oath testing group. — xaosflux ^Talk 05:14, 22 November 2016 (UTC)

I see. I look forward to 2FA becoming available to all editors. Thanks! Tony Tan · talk 21:52, 22 November 2016 (UTC)

FWIW, I'd suggest Template Editors go next, because of the potential damage that can be done from their accounts. StevenJ81 (talk) (a Template Editor, but with 2FA from being an admin/crat elsewhere) 18:44, 29 December 2016 (UTC)

It's kind of hard to find but you can request access at m:Steward requests/Miscellaneous. Feel free to use my request dated 15:19, 18 August 2017 as a template. ☆ Bri (talk) 16:20, 18 October 2017 (UTC)

m:Steward requests/Global permissions would be the best place! @Tony Tan: would you still like 2FA access? If you confirm here, I can add it to your account. -- Ajraddatz (talk) 18:07, 18 October 2017 (UTC)

@Ajraddatz: I got 2FA by temporarily getting sysop on testwiki last year. If you could add me to a more permanent 2FA list, that would be great. Thanks! Tony Tan · talk 22:58, 18 October 2017 (UTC)

I could add you to the global oathauth testing group, but since you already have it enabled, that wouldn't be beneficial. If you need to disable it in the future, let me know :-) -- Ajraddatz (talk) 23:17, 18 October 2017 (UTC)

Okay, I will let you know if/when I need to un-enroll and re-enroll due to a device change. Cheers! Tony Tan · talk 23:21, 18 October 2017 (UTC)

@Ajraddatz: just to note, anyone may disable 2FA, group is only needed to enroll. — xaosflux ^Talk 23:23, 18 October 2017 (UTC)

Oh cool, thanks for the info. -- Ajraddatz (talk) 18:33, 19 October 2017 (UTC)

I request feature before having an account compromised despite our passwords meeting best practices. I imagine many editors share this sentiment. Richardc020 (talk) 16:33, 12 November 2018 (UTC)

There is a proposal on Meta to make it easier for all editors to access 2FA. If you're interested, see m:Meta:Requests for comment/Enable 2FA on meta for all users. — Newslinger talk 23:54, 30 March 2019 (UTC)