OATHAuth

Miraheze uses OATHAuth, an extension for adding two-factor authentication (2FA) to your Miraheze account.

Enabling two-factor authentication

 * Two-factor authentication can be enabled by following the steps on Special:OATH.
 * For Time-based One-Time Password (TOTP) codes used in two-factor authentication, a TOTP app is needed. There are various authentication apps available, including, but not limited to [https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp andOTP for Android], [https://itunes.apple.com/nl/app/google-authenticator/id388497605?mt=8 Google Authenticator for iOS] and [ https://winauth.com/ WinAuth for Windows devices].

'''Write down your recovery codes, and store them in a safe place. Per the section below, it may be difficult to regain access to your account if you lose your device and your recovery codes!'''

Recovering your account
Disabling two-factor authentication (while not logged in to the account) can only be done by editing the global account's information in the database, which has to be done by System administrators.

Unfortunately, because most people don't positively identify themselves before losing access to their accounts, Miraheze system administrators can have a hard time figuring out if someone claiming to be locked out of an account is really who they say they are.

There are two options for recovering your account, which may or may not be applicable to a user's specific case:
 * 1) Miraheze system administrators have absolute discretion, as they may technically speaking remove two-factor authentication from any account. Usually, this is only done if the account belongs to someone that the system administrator believes they can positively identify, such as people who frequently talked to them via IRC or email before the incident.
 * 2) Identify yourself via a user committed identity before losing access to your account. In the event that your account is compromised, you could privately reveal the entire secret phrase to a system administrator, who would hash the phrase to verify your identity. Please choose your secret string wisely, as system administrators have sole discretion in determining whether or not this method is enough to identify you.

Please see more details here.