Two-factor authentication

From Miraheze Meta, Miraheze's central coordination wiki
(Redirected from 2FA)
Other languages:
Shortcut:
2FA

Miraheze offers two 2FA methods for adding extra protection to your accounts. Only one of these may be enabled at a time.

TOTP[edit | edit source]

Time-based One-Time Passwords relies on passwords that change as time passes. You must have a TOTP application or program, commonly available for all kinds of devices and operating systems.

To enable it, go to Special:Manage Two-factor authentication and select the "TOTP (one-time token)" option. Follow the on-screen instructions to set up.

Once set up, you'll need a code generated from the device you use as your TOTP device everytime you want to log in.

WebAuthn[edit | edit source]

WebAuthn relies on an authenticator, most commonly a hardware device like a Yubikey.

To enable it, go to Special:Manage Two-factor authentication and select the "Web Authentication (WebAuthn)" option. Follow the on-screen instructions to set up.

Once set up, you'll need to always have the USB key ready (if using an USB key), and will always need to go to the wiki you registered the authenticator on to login! Please register the authenticator at Meta to ensure you are always able to login, in case the wiki you registered it on changes domains, or is deleted.

Account recovery[edit | edit source]

Enabling 2FA comes with the added risk that if you find yourself unable to satisfy the second factor, like for example, your phone with the TOTP codes broke and you don't have a backup, or the security keys you used with WebAuthn no longer work, you are effectively locked out.

To prevent this from happening, you can for example register multiple different security keys with WebAuthn. There's a process for account recovery in these situations detailed at Reset lost credentials, but success is not guaranteed, as SRE will always err on the side of caution to prevent falling victims to a social-engineering attack.

Mandatory 2FA[edit | edit source]

Certain users are required to have 2FA enabled on their accounts, due to the advanced permissions they hold.

See also[edit | edit source]