Help talk:Two-factor authentication/Archive 1

This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

1. If I set this up using a smartphone, do I need to use the phone every time I log in?
2. If so, does it have to be the same phone?
3. If I opt in to this, and decide it's too much hassle, can I opt out again?

I should point out that I use a very strong password, unique to WP, but in the light of further hacking today I'm willing to consider further security. Optimist on the run (talk) 22:38, 16 November 2016 (UTC)

Optimist on the run answers below. — xaosflux ^Talk 22:48, 16 November 2016 (UTC)

1. You have to use it anytime you are currently prompted for a password, you will also need the code. If you "remember me" on a computer and don't need a password each time, you won't need this each time - unless you do something like try to change your email or password.
2. You can register MULTIPLE phones - they will all produce the same code.
3. You can unenroll whenever you want right now.

— xaosflux ^Talk 22:48, 16 November 2016 (UTC)

Can we please not encourage use of Google Authenticator? First, there are better authenticators available, mainly with features like syncing or backup. (Who wants to deal with the hell when users update their phones and Google Authenticator no longer opens or cannot import the content?) Second, don't we support free and open solutions? For iOS there is an app made by Fedora people. I'd even put Authy before GA for its functionality. I used GA for a while because it helped popularize the use of 2FA but enlightened upon deciding to search for alternatives that many others are head of the curve. If GA needs to be listed, let's suggest it third.  czar 17:06, 16 November 2016 (UTC)

I wrote about Google Authenticator because it's the only thing I tried and hence all I know how to write up. If you know how to make this work with another device, add it to the document. I share Linus Torvalds' view on open-source solutions, which is use them if they work for you, and don't use them if they don't. As the ha-ha-only-serious page Wikipedia:WikiSpeak says, "Ogg Vorbis : An audio file format. It is not supported by most commonly used audio software and is unheard of by anyone other than extreme free software nerds, and therefore has been adopted as the standard audio format for Wikipedia." Couldn't have put it better myself :-) PS: around here, "GA" means Good Article, watch your acronyms! Ritchie333 ^{(talk) (cont)} 17:13, 16 November 2016 (UTC)

2FA secrets should never be backed up: that defeats the idea of 2FA, which is that being able to generate a valid code proves you have physical possession of the phone. Instead of backing up the app contents, you should save an offline copy of the recovery codes shown at enrollment time. Those let you turn off 2FA by entering a recovery code. 50.0.136.56 (talk) 06:50, 18 November 2016 (UTC)

Seems to me that this would be a good idea to have a userbox for. I've never created one before, but I took a stab at making it, anyway. So, here's an initial attempt. If everyone hates the idea, it can die here. Jauerback^dude?/_dude. 13:04, 17 November 2016 (UTC)

@Jauerback: Noooooooooooo, I created {{User 2FA}} a little while back - yours looks nicer though, feel free to replace the code (though please keep the category) -- samtar ^{talk or stalk} 13:10, 17 November 2016 (UTC)

No that's ok, yours is fine. I didn't realize one already existed. Jauerback^dude?/_dude. 13:33, 17 November 2016 (UTC)

I don't see an obvious practical exploit, but this box seems to give away info to attackers unnecessarily. They should not be able to tell whether someone has 2FA enabled or not. I'd also get rid of the category. 50.0.136.56 (talk) 06:57, 18 November 2016 (UTC)

@.56: This crossed my mind - however there is no real advantage gained for the attacker from knowing if an account was using 2FA, other than to perhaps exclude them from brute force attacks or if an exploit with the 2FA system is found -- samtar ^{talk or stalk} 08:13, 18 November 2016 (UTC)

I agree with '56, I wouldn't put this userbox on my page per WP:BEANS. Ritchie333 ^{(talk) (cont)} 12:41, 18 November 2016 (UTC)

Valid point, but I would assume most hackers would go for an account with less security. Then again, BEANS does exist for a reason. Jauerback^dude?/_dude. 15:29, 18 November 2016 (UTC)

I still feel the same way as before (of course it's even more important to avoid identifying accounts that don't use 2FA) but I changed the userbox contents to Jauerback's version, per Samtar's comment that it looks nicer (I also think it looks nicer). 50.0.136.56 (talk) 00:49, 19 November 2016 (UTC)

This page should be converted from WP:ESSAY to a help page. 50.0.136.56 (talk) 07:07, 18 November 2016 (UTC)

I would hope that's the long-term aim, but I wanted to wait until the page was a bit more mature first, with examples supplied by several editors. I'd quite like it to eventually usurp the "official" WP:2FA page, which is a soft redirect at the moment. Ritchie333 ^{(talk) (cont)} 12:40, 18 November 2016 (UTC)

Sounds good. The page should hopefully become pretty foolproof by the time 2FA is made available to all accounts. A lot of people will want to refer to the page then. 50.0.136.56 (talk) 00:51, 19 November 2016 (UTC)

Can we ask for some outside review of this page from non-technical editors? We contributors are all too caught up in it to have good judgment about whether it serves its purpose as well as it could. I thought of a few people to ping but maybe it can be done more formally. The review request shouldn't be to "sell" 2FA, but just to get opinions on whether the page is readable and not too long-winded. It can include non-admins even though only admins can currently activate 2FA. Thoughts are welcome. 50.0.136.56 (talk) 00:42, 19 November 2016 (UTC)

User:Bishonen, can you take a look at the page and post any comments here? I'm not asking you to activate 2FA (that's entirely up to you) but just to let us know if the page makes it comprehensible or what improvements it needs. I thought of you because I remember your post in the AN thread about the topic being unclear. Maybe this makes it better--let us know. Thanks. 50.0.136.56 (talk) 05:36, 20 November 2016 (UTC)

User:Bishonen - repeating ping attempt since the one above might have failed from a typo I made. 50.0.136.56 (talk) 05:37, 20 November 2016 (UTC)

Oh, you don't have to explain why you chose me as a good example of a non-technical editor! :-) (You're quite right about that, though I can do a few unexpected things, such as block IPv6 ranges.) Thanks for asking. I have two questions:

1. The assumption that everybody has and uses a smartphone is worrying for me. I know it's incredible, but I don't use one; I can't get comfortable with them. The implication on the page seems to be that it will be a pest, every time, to use 2FA from a desktop computer. Is that right?

A: You have to use 2FA any time you currently have currently enter your password. So if you use a desktop and normally "keep me logged in" you don't have to use it each time from that computer. — xaosflux ^Talk 06:00, 20 November 2016 (UTC)

Ahh... yes, Xaosflux... I essentially do use "keep me logged in", but (blushes) I still log in and out quite a bit. Compare [1]. Bishonen | talk 06:17, 20 November 2016 (UTC).

A possible ease of use for your use case would be to use multiple browser, or private browsing sessions for your alt accounts. On my normal desktop, I use one browser for most of my use, but if I need to log in as a test user or say my bot account, I use a private browsing session or another browser - that way I can stay logged in. Not "flawless" but it could help you. — xaosflux ^Talk 16:13, 20 November 2016 (UTC)

2. Do I need 2FA, if I have a strong password which I don't use anywhere else, and nobody outside my highly reliable family gets near my computer? I heard on the grapevine that those admin accounts were able to be hacked because they used the same password somewhere else (a mailing list?). Is that true? Bishonen | talk 05:54, 20 November 2016 (UTC).

Thanks for the comments and no worries about the smartphone, I don't use one either. Re your questions:

1) Using 2FA on a desktop shouldn't be much different than using it on a phone. You launch the program and then there's a window showing a 6 digit number that changes once a minute, that you enter along with your password. I haven't used the Windows program mentioned but you might even be able to make the window real small and leave it on your screen, or put it in one of the taskbar indicators like the date/time display, so you don't even have to click anything to use it.

2) I think you are reasonably safe with what you describe. What seems to have happened is various people used the same username/password on Wikipedia and some site XYZ, then XYZ got compromised and all of its usernames and passwords spilled, and then the attacker tried the XYZ usernames/passwords on Wikipedia and a lot of them worked (or they might have inferred usernames from email addresses, or whatever). I don't know what XYZ was, but that's a common attack that has happened to many sites (I remember some Adobe.com site spilling millions of passwords a few years ago). I just generate random distinct passwords for everything and store them in the browser password vault, so I don't actually know any of my own passwords.

We should improve the documentation about the Windows desktop token, and add them for Mac and Linux. 50.0.136.56 (talk) 06:16, 20 November 2016 (UTC)

OK, thanks. What's that "browser password vault"? I want one! Bishonen | talk 06:20, 20 November 2016 (UTC).

It's just a feature in browsers where the browser offers to remember different passwords for you, and it can encrypt the collection under a master password that you enter when you launch the browser (so that's just one password to remember). In Firefox you can turn it on by going to Preferences -> Security and checking "Remember logins for sites". There's something similar in Chrome but I don't know how to operate it. 50.0.136.56 (talk) 06:24, 20 November 2016 (UTC)

I'll be away for a few days but others here or on WP:RDC should be able to handle further questions/issues. Bye for now. 50.0.136.56 (talk) 07:00, 20 November 2016 (UTC)

"We should improve the documentation about the Windows desktop token, and add them for Mac and Linux." Couldn't agree more, and the only reason I personally haven't done it is because I haven't tried it, and as I seem to be a bit of an Apple fanboy, I don't use Windows software unless forced to at gunpoint (or just use Wine). However, if nobody else is prepared to improve the non-smartphone documentation, I guess muggins here will give it a go. Ritchie333 ^{(talk) (cont)} 14:06, 21 November 2016 (UTC)

Good ol' muggins - tell you what, I'll work on the Windows aspect and let you deal with the widely loved Apple product. Linux is going to be nice and easy, because I'm sure there's hundreds of TOTP clients and it's safe to assume Linux users are at least somewhat technical -- samtar ^{talk or stalk} 14:31, 21 November 2016 (UTC)

• Page says However, because the key is time-based, it may change while you're doing this, in which case you'll have to add the latest key instead.

Could someone with 2FA test that and possibly update the doc? Log in with 2FA, wait for the code to flip over to a new one, and then enter the old code a few seconds later? Servers generally allow some leeway in the timing to deal with this situation, and also to handle slight timekeeping discrepancies between the server and the 2FA device. But I don't want to change the document unless it's been tested. 50.0.136.56 (talk) 07:15, 18 November 2016 (UTC)

Tested, and given my understanding of TOTP the old code should invalidate the moment a new code is generated. I imagine there is a slight leeway, though not enough for me to get in on an old code -- samtar ^{talk or stalk} 08:16, 18 November 2016 (UTC)

Can you confirm, you entered the old code a few seconds after the code flipped, and you couldn't log in? I'd report that as a bug. You should get a decent size window, maybe as much as half a minute (using a code from yesterday should of course fail). The hardware tokens in the picture are basically cheap digital watches with different packaging and firmware. So their clocks drift by as much as a few seconds per week. Server-side software is supposed to allow for that, partly by tracking the amount of drift for a given token. 50.0.136.56 (talk) 17:04, 18 November 2016 (UTC)

I've had a look now - the code on Google Authenticator is normally blue, but changes to red immediately before the key expires and changes. Ritchie333 ^{(talk) (cont)} 14:12, 21 November 2016 (UTC)

The technical answer is that at any moment, the current code, the four codes before and the four codes after will be accepted, unless they have been used before. This is to account for clock divergence between client and server as well as input errors and submitting right at the moment where the generator will rotate to the next key. Users shouldn't have to worry about that. —TheDJ (talk • contribs) 11:19, 22 November 2016 (UTC)

The text above the list of codes says "... If you lose your phone, these tokens are the only way to rescue your account. ...".

How does that apply to those of us who do not have a phone?

Robin Patterson (talk) 20:12, 5 March 2017 (UTC)

This is the "simple" guide - it equally applied to "if you lose all of your OTAP authentication mechanisms". — xaosflux ^Talk 04:51, 16 July 2017 (UTC)

I need to add WP to a new authenticator app. Roger (Dodger67) (talk) 21:44, 30 August 2017 (UTC)

@Dodger67: this is not currently available. See phab:T172079. Options are: (1) Use the "two-factor secret key" you first were given, if you recorded it. (2) Un-enroll and re-enroll. — xaosflux ^Talk 23:09, 30 August 2017 (UTC)

@Dodger67: fix ping. — xaosflux ^Talk 23:10, 30 August 2017 (UTC)

I'm happy using winauth on Windows but what do I do if I'm away from it? Thanks. Doug Weller talk 17:21, 14 November 2017 (UTC)

@Doug Weller: using the original code presented during enrollment (you can get a new one by unenrolling and re-enrolling) you may create as many authentication devices as you would like. I use 2 different ones. — xaosflux ^Talk 18:20, 14 November 2017 (UTC)

@Xaosflux:, Thanks, I want clear enough. I don’t know how to set up any of the possible apps to the point where I’d use that code. Do you mean the secret code? Doug Weller talk 18:41, 14 November 2017 (UTC)

I use Google Authenticator. You can install it with these directions. When you first activate 2FA you get an enrollment code for you account. You can tell if it is working with multiple devices as they will all show the same code at the same time. — xaosflux ^Talk 18:56, 14 November 2017 (UTC)

@Xaosflux: Thanks. It took me a while to recall that my account name was with my secret code. Maybe the instructions on this page could be a bit more dummy oriented! Doug Weller talk 16:48, 17 November 2017 (UTC)

• required for interface administrators, checkusers, and oversighters, among others. I don't believe this is accurate, per WTT's comment here. Should this be changed?
• Is there some reason that we have a picture of a QR code linked to someone's (now-deleted) Google+ profile? QR codes have easily enough redundancy to make this one readable. GoldenRing (talk) 11:55, 26 March 2019 (UTC)

  I thought checkusers and oversighters required 2FA because they were listed under :m:Help:Two-factor authentication § Mandatory use user groups. Is this limited to Meta-Wiki? In any case, I've removed these two from the list of groups where 2FA is required, as the list doesn't need to be exhaustive. The QR code image was there from before, and I've also removed it because it was redundant with the phone scan image. Thanks for your feedback. ​— Newslinger talk 16:17, 26 March 2019 (UTC)

@Newslinger: I'm following up on that - I think it is just wrong on meta as well. — xaosflux ^Talk 22:52, 26 March 2019 (UTC)

It was added by a random user on Meta. It isn't correct. Only stewards and interface admins require 2FA. -- Ajraddatz (talk) 22:55, 26 March 2019 (UTC)

Thanks for discovering the issue and fixing the source page. — Newslinger talk 06:45, 27 March 2019 (UTC)

1. What is the equivalent Macintosh program to winauth?
2. Is it possible to generate additional emergency keys, or can this be done only by disabling and then re-enabling? DGG ( talk ) 17:32, 17 November 2017 (UTC)

• @DGG: you could try oathtool command line for mac desktop, I'm not finding a good gui based one for free. To get new scratch codes you need to unenroll and reenroll. — xaosflux ^Talk 02:44, 18 November 2017 (UTC)
• A bit late here, but try using KeeWeb, which should work with macOS. The new instructions are at WP:2FA § KeeWeb (Windows, macOS, Linux, online). Please let me know if the instructions are confusing or unclear. ​— Newslinger talk 23:08, 30 March 2019 (UTC)

I am glad to see that 2FA is being brought to Wikipedia. However, why is it limited to users with advanced permissions? Why not provide everyone with the option to further secure their accounts? I ask, because I've been looking for this since 2014. Thanks! Tony Tan · talk 05:11, 22 November 2016 (UTC)

The plan is to make it available to all editors, it just is getting rolled out in phases - and appears to have been fast tracked due to the recent account hacks. — xaosflux ^Talk 05:12, 22 November 2016 (UTC)

If you really really want it now, you can ask a steward to add you to the oath testing group. — xaosflux ^Talk 05:14, 22 November 2016 (UTC)

I see. I look forward to 2FA becoming available to all editors. Thanks! Tony Tan · talk 21:52, 22 November 2016 (UTC)

FWIW, I'd suggest Template Editors go next, because of the potential damage that can be done from their accounts. StevenJ81 (talk) (a Template Editor, but with 2FA from being an admin/crat elsewhere) 18:44, 29 December 2016 (UTC)

It's kind of hard to find but you can request access at m:Steward requests/Miscellaneous. Feel free to use my request dated 15:19, 18 August 2017 as a template. ☆ Bri (talk) 16:20, 18 October 2017 (UTC)

m:Steward requests/Global permissions would be the best place! @Tony Tan: would you still like 2FA access? If you confirm here, I can add it to your account. -- Ajraddatz (talk) 18:07, 18 October 2017 (UTC)

@Ajraddatz: I got 2FA by temporarily getting sysop on testwiki last year. If you could add me to a more permanent 2FA list, that would be great. Thanks! Tony Tan · talk 22:58, 18 October 2017 (UTC)

I could add you to the global oathauth testing group, but since you already have it enabled, that wouldn't be beneficial. If you need to disable it in the future, let me know :-) -- Ajraddatz (talk) 23:17, 18 October 2017 (UTC)

Okay, I will let you know if/when I need to un-enroll and re-enroll due to a device change. Cheers! Tony Tan · talk 23:21, 18 October 2017 (UTC)

@Ajraddatz: just to note, anyone may disable 2FA, group is only needed to enroll. — xaosflux ^Talk 23:23, 18 October 2017 (UTC)

Oh cool, thanks for the info. -- Ajraddatz (talk) 18:33, 19 October 2017 (UTC)

I request feature before having an account compromised despite our passwords meeting best practices. I imagine many editors share this sentiment. Richardc020 (talk) 16:33, 12 November 2018 (UTC)

There is a proposal on Meta to make it easier for all editors to access 2FA. If you're interested, see m:Meta:Requests for comment/Enable 2FA on meta for all users. — Newslinger talk 23:54, 30 March 2019 (UTC)

I edit primarily on a laptop, which isn't mentioned on the page. Is that considered the same as a desktop? Sorry for what I'm sure to everyone here sounds pretty silly. I did search the archives for any mention of 'laptop' to try to spare myself embarrassment. --valereee (talk) 12:31, 10 April 2019 (UTC)

@Valereee: in general 'desktop' would be the same as 'laptop' or 'all-in-one' computer. The "easy" directions there mostly about what operating system you have. So if your laptop is Windows or MacOS you should be OK, if you are using something more custom (like ChromeOS on a ChromeBook) it may not work. You can safely do all the "computer" parts well in advance of "activating" 2FA - you will either be able to get the program installed and running or you won't. Does that help? — xaosflux ^Talk 13:14, 10 April 2019 (UTC)

Xaosflux, totally, lol. I was sort of assuming that "laptop" was in this case being used interchangeably with "desktop," which is something I haven't used in probably fifteen years. I have a macbook and an iphone, so I'll start investigating those directions. Thanks! Hopefully this gets archived quickly lol --valereee (talk) 13:20, 10 April 2019 (UTC)

@Valereee: I wouldn't worry about it! I've expanded the help to be more clear in this area, thanks for bringing it up! You may want to review the Help:Two-factor_authentication#Multiple_devices section if you want to activate on both your devices. — xaosflux ^Talk 13:26, 10 April 2019 (UTC)

Xaosflux, it's okay, if I don't feel stupid at least once a day I figure I'm not taking enough risks. :) I've been using 2-factor authentication for a few other things, but I hadn't tried to use it with WP yet. I've seen recommendations multiple times on various talk pages that editors set it up for WP. I've been using 1password, am hoping I can get it to integrate here eventually. Thanks for the assistance! --valereee (talk) 15:30, 10 April 2019 (UTC)

Might be I didn't read closely enough, but I didn't see a process or procedure to tell if one currently is or isn't 2FA enabled. Is it based on what you see when you go to Special:Two-factor_authentication ? ++Lar: t/c 01:59, 7 May 2019 (UTC)

Hi Lar, you can see for your own account in your preferences: the line about two-factor authentication. -- Ajraddatz (talk) 02:04, 7 May 2019 (UTC)

@Lar: but also yes, on that special page, if you are enrolled it will ask you if you want to Disabled 2FA, else it will ask you to enroll. — xaosflux ^Talk 02:29, 7 May 2019 (UTC)

Thanks, both of you. Is this such a dumb question that it doesn't merit mentioning on the page itself? I asked more for trying to decide if that was a good idea for an edit to the page... rather than for answering the question for myself... Relatedly, is there a record kept of when it is turned on and turned off for a given account that is user accessable? I thought I had it on, my authenticator has a WM entry, I have scratch codes from 2017... but it was apparently off, and I don't know when or why I turned it off. It's on again. ++Lar: t/c 03:02, 7 May 2019 (UTC)

 Added at H:2FA § Checking whether 2FA is enabled. — Newslinger talk 08:39, 8 May 2019 (UTC)

Dear people, I am in need of setting up the 2FA once again on my third different mobile device (my two previous mobile devices broke down, I am on a third one now...). Unfortunately, I ran out of scratch codes (had only five by the time they were provided to me years ago) so I cannot do it again, and I do not know how to do it otherwise. Could you please help me on that sense, or at least address me on how to proceed to solve the issue? Thanks, --Angelo (talk) 00:16, 28 June 2019 (UTC)

@Angelo.romano: is it correct to say you have 0 scratch codes left and have lost access to your 2fa device? If so officially, you are out of luck and once your session times out you will never be able to log on again. Unofficially, you can beg the WMF Trust and Safety department for help. You can do that by opening a phabricator ticket and setting the tag to "Trust-and-Safety" - then wait to be contacted. — xaosflux ^Talk 00:36, 28 June 2019 (UTC)

If the remove 2FA from your account you can enroll anew, and now you will get 10 scratch codes. If you ever use a scratch code, it is a good idea to unenroll then reenroll to get a new batch of codes. — xaosflux ^Talk 00:38, 28 June 2019 (UTC)

​This information would be useful in the help page. Would you mind adding these instructions somewhere under or after the "Disabling 2FA" section? — Newslinger talk 00:53, 28 June 2019 (UTC)

@Newslinger: I added to the Help:Two-factor_authentication#Scratch_codes section. — xaosflux ^Talk 01:04, 28 June 2019 (UTC)

​Thanks! — Newslinger talk 03:44, 28 June 2019 (UTC)

I might possibly have one still working, but I have not tried it (as far I understand, I need two valid codes, so I would not take that risk). Thanks for your reply, unfortunately I cannot open a Phabricator ticket (I am not logged in there for some reason, and I get asked for the 2FA code of course).. Angelo (talk) 14:44, 28 June 2019 (UTC)

@Angelo.romano: as you are logged in already (right now) you only need 1 code to unenroll. (You need 2 if you aren't logged in, 1 to log on, 1 to unenroll). — xaosflux ^Talk 15:38, 28 June 2019 (UTC)

I tried all the five scratch codes that I have, by putting them here (Special:Two-factor_authentication) and none of them worked, unfortunately. Angelo (talk) 19:06, 28 June 2019 (UTC)

@Angelo.romano: I've created phab:T226860 for you. They will likely try to contact you by your wikimail address, assuming it hasn't been changed recently - so keep an eye on your email and talk page. Best luck, — xaosflux ^Talk 19:15, 28 June 2019 (UTC)

Thank you, I really appreciate your help! Angelo (talk) 19:46, 28 June 2019 (UTC)

@Angelo.romano: please see the note at phab:T226860 for you to email something in. — xaosflux ^Talk 20:52, 28 June 2019 (UTC)

Thanks, I did it yesterday afternoon (West Europe time). Angelo (talk) 12:42, 30 June 2019 (UTC)

Is there a way to enter a 2FA auth code on the official Wikipedia Android app log in screen? I get a small box appearing at the bottom of the screen telling me I need to enter one, but don't see a field to enter said auth code. This is on version 2.7.50282 of the app on a OnePlus 6T running Android 9.0. --Michael Greiner 04:57, 12 July 2019 (UTC)

Tracked in Phabricator
Task T227925

Hi Michael Greiner, I can confirm this bug on the Wikipedia Android app. Since an older version of the Android app allowed me to log in with 2FA, this bug must have been introduced in a recent version. I've submitted a bug report at phab:T227925 and hope this gets resolved soon.

In the meantime, you can work around this by temporarily disabling 2FA, logging in to the Android app, and then re-enabling 2FA after you've logged in. When I did this, I was able to make edits on the Android app even after 2FA was re-enabled. Hope this helps! — Newslinger talk 22:41, 12 July 2019 (UTC)

Hi Michael Greiner, I believe we have a build that fixes the issue. Would you be able to download the latest Wikipedia Beta app from the playstore? Please let us know if you are still seeing the issue on that build. Thanks! — Preceding unsigned comment added by ABorba (WMF) (talk • contribs) 2019-08-22T18:22:00 (UTC)

I was able to log in via 2FA on the latest update. Thanks Newslinger and ABorba (WMF) for your help. --Michael Greiner 20:05, 25 August 2019 (UTC)

Thanks for the update. I'm glad to see this issue taken care of, and look forward to seeing this fix in the stable version of the app. — Newslinger talk 03:48, 26 August 2019 (UTC)

• @ABorba (WMF): is this supposed to be fixed in the main-train app yet? phab:T150899 suggests otherwise, as does my personal recent test. — xaosflux ^Talk 21:11, 30 October 2019 (UTC)

I'm supposed to be entering a six-digit code from KeeWeb into "step 4" of the 2FA enrollment page, but that page is just empty, maybe because I started trying to set this up six months ago and already have my scratch codes and such. But at any rate, currently there are no steps at all. All it says is Manage Two-factor authentication ← Special:Manage Two-factor authentication

I've been trying to set up 2FA for a good six months, and I am just not having much success. I have 2FA on a bunch of stuff, and it's so easy. I flip a switch, and from then on I get a text with a pin whenever I log in there. I really want to comply with this. --valereee (talk) 20:53, 30 October 2019 (UTC)

@Valereee: in Special:Manage_Two-factor_authentication does it say "Disable TOTP (one-time token)"? If so you already have it enabled. Keep in mind we do not use "push" notifications like some websites, we use TOTP. If it says "Disabled" but you don't have a working TOTP client, you need to get this turned off with a scratch code right away (before you lock yourself out!). — xaosflux ^Talk 21:09, 30 October 2019 (UTC)

Xaosflux, yep, that's what I'm worried about. :) I'm reading over this page and it's a little scary. I'm like, would it be worse to suffer the embarrassment of having my account compromised, or the embarrassment of locking myself out permanently?

It says Enable there. Is KeeWeb a TOTP client? --valereee (talk) 21:19, 30 October 2019 (UTC)

@Valereee: ok if it says "enable" you should be fine right now (and any scratch codes you have are useless). To verify this you can try to logon again from a private browsing session, it should ask you for your password and not also a code. From what I see KeeWeb is a TOTP client, I've never used that one before. Here is a simple summary of what happens when you enable:

1. You get the "Enable TOTP (one-time token)", it includes:
   • A qr-code and a "Two-factor authentication secret key" (these are the same thing)
   • A list of scratch codes (SAVE THESE before you do ANYTHING ELSE)
2. You put the qr-code or secret key in to your client
3. You use your client to generate a token (this is the same thing you will have to do when you log on)
4. You put the code from your client in to the "Verification" box. If it matches, you are activated and will have to use 2FA going forward.

— xaosflux ^Talk 22:10, 30 October 2019 (UTC)

Hi Valereee, I hope this video is helpful for you. If you're currently using another app to manage 2FA for other websites, we can provide more detailed instructions if you tell us the name of that app. — Newslinger talk 21:43, 31 October 2019 (UTC)

Thanks, xaosflux, and Newslinger thanks so much for that video, that's extremely helpful! Okay, I think I've got it set up. The only question is, during the synch process, it asks under Names for a Name: and a Default user: do either of those need to be something specific? Like the admin name on my computer or something? And when WP says it's set up, I assume it's going to ask me for something when I next try to login? It hasn't asked me where it should send that something, and while the instructions say the scratch codes are the only way to help if I lose my phone, I don't think my phone number is anywhere in my WP preferences, and KeeWeb isn't on my phone, only my laptop. valereee (talk) 12:42, 1 November 2019 (UTC)

@Valereee: if you are 2FA activated, you will be prompted for the code after you put your password in on future logons, or if you try to change you email or password. You can see this in action by opening a private/incognito browsing session and trying to log on. — xaosflux ^Talk 12:53, 1 November 2019 (UTC)

@Valereee: so "phones" have nothing specifically to do with any of this, just that most 2FA user are using an application installed on a phone as their TOTP client. Specifically, if you loose access to a TOTP client (such as KeeWeb) that has your initial secret seeded to it (and don't have a way to recover that secret to it): you will need the scratch codes. Will let someone who has used KeeWeb answer those questions for you! — xaosflux ^Talk 12:53, 1 November 2019 (UTC)

It worked with an incognito window, so yay, I guess I'm good to go! I've saved my scratch codes in two different places, named them something searchable, and emailed them to the hubs lol... --valereee (talk) 13:27, 1 November 2019 (UTC)

Oh, and the other app I've been using is 1Password, which I'd downloaded to try to get working reliably remembering passwords before I started also using it for 2FA. Other reviewers have raved about its intuitive interface, but I've found it frustrating to use; I'm sure it's me, not the app. --valereee (talk) 13:57, 1 November 2019 (UTC)

​No problem! If you're comfortable with using 1Password for all of your 2FA needs, they have instructions on this page that should work with the QR code from "Step 2" of the setup page. Personally, I think it's easier to manage everything with one app instead of two, but since you already have 2FA working with KeeWeb, it's up to you whether you want to switch over to 1Password.

If you'd rather stick with KeeWeb for 2FA, I'd recommend using the desktop version for your laptop instead of the web app if you aren't doing this already. (The web app is still available if you ever want to log in to Wikipedia on someone else's computer.)

Also, the "Name" and "Default user" fields in KeeWeb are entirely optional. "Name" is the name of the database that appears in the lower-left corner of KeeWeb: it's set to "New" by default, but you can optionally change it to something more meaningful. "Default user" is the default username for new entries in KeeWeb, and can be left blank. — Newslinger talk 08:20, 2 November 2019 (UTC)

I think I'll stick with KeeWeb, and I did use the desktop version, but I'd like to figure out how to connect it to the web app so I can use it when I don't have my machine with me. But the web app is just a brand new open; am I supposed to do something to connect it with the desktop version? I can't seem to find much in the way of instructions. Sorry for all the questions, this isn't even the place, is it? I honestly have searched for instructions on the web, but nada. I clearly am a couple standard deviations below the norm, here. --valereee (talk) 11:54, 2 November 2019 (UTC)

Don't be so hard on yourself – you're doing perfectly fine, and these instructions are still far from ideal at this point. This is the right place to ask questions about 2FA, and your questions help us improve these instructions. Hopefully, one day, this page will be clear and detailed enough that most of the common questions won't need to be asked anymore.

By default, the desktop version of KeeWeb saves your 2FA entries in its own private storage space. If you want to access your 2FA entries on other devices, there are two ways you can do this:

• If you use Dropbox, Google Drive, or OneDrive, KeeWeb can save your 2FA entries in a file ending in .kdbx directly on the file hosting service you use. Step #10 of the instructions for KeeWeb explain how to back up your 2FA entries onto a file. When you're on someone else's computer, just go to the KeeWeb online web app (app.keeweb.info – one click away from the KeeWeb home page at keeweb.info), and click "More" (the ⋯ icon) to retrieve your 2FA entries from your file hosting service.
• If you don't use any of the 3 file hosting services listed above, you can manage the .kdbx file yourself. Just save it onto your computer, and then upload it onto the service you use. You can also copy the file onto a flash drive if you prefer to have it on hand with you. Step #10 of the instructions for KeeWeb also explains how to do this. To open the .kdbx file on someone else's computer, go to the KeeWeb online web app (app.keeweb.info) and click "Open" (the 🔒 lock icon).

You can try either of these methods on your own computer to see if it works for you. If you aren't currently using a file hosting service, all of the ones mentioned above can be used free of charge. Google accounts, Microsoft accounts, and Apple IDs include access to Google Drive, OneDrive, and iCloud, respectively – it's very likely that you already have one of these services.

One of the main benefits to having 2FA on a smartphone is that you won't need to sync your 2FA settings as long as you have your phone with you. If the above is too tedious, you can switch over to using 2FA on your phone by disabling 2FA and then doing the setup procedure on your phone. Hope this helps! ​— Newslinger talk 02:07, 3 November 2019 (UTC)

Ooh, bcc, that's a new one on me! Yes, I do use dropbox and occasionally google drive, and everything's also on icloud. But whoa, smart phone sounds like the way to go, I'm going to go do that! Thanks again! I'll likely be back again at some point to continue helping you improve the instructions lol...--valereee (talk) 12:37, 3 November 2019 (UTC)

OMG that was so easy! Granted, I understood what I was doing this time and wasn't just puzzled by the basically blank screen the authenticators all seem to want to give you (honestly, do these people realize they're designing things for non-techies lol?) but that was simple and straightforward, and I feel confident I am not going to screw anything up. Thank you both again! --valereee (talk) 13:14, 3 November 2019 (UTC)

I'm glad this worked out! In the help page, I'll try to emphasize smartphones more, since a phone app is usually the best solution for smartphone owners. On the other hand, KeeWeb is the most difficult to set up, but it needs to stay in the guide because we haven't found a good recommendation for macOS, and because KeeWeb is the most viable 2FA solution for people who don't have their own computer or phone. — Newslinger talk 19:28, 3 November 2019 (UTC)

Hi everyone,

I've managed to set up 2FA on my account. However, I no longer have access to the device that I downloaded Google Authenticator to. I've downloaded it to my new phone but whenever I try to log in to Wikipedia now it says "verification failed". Any ideas?--2603:9000:6505:2B00:140C:B6EC:9937:798C (talk) 02:56, 6 December 2019 (UTC)

Hi 2603..., yes what you will want to do is to use your scratch codes. You will need 2, one to log on, and another to disable 2FA. At that point you can start over. — xaosflux ^Talk 03:15, 6 December 2019 (UTC)

Can you please give me steps what to do? I have no idea about scratch codes.--2603:9000:6505:2B00:140C:B6EC:9937:798C (talk) 03:18, 6 December 2019 (UTC)

When you turned on 2FA, did you skip the part for Important: Store your scratch codes offline in a safe place to ensure that you won't get locked out of your account if your 2FA device fails. (See image sample to the right)? You should have a list of these codes (probably 10 of them). — xaosflux ^Talk 03:26, 6 December 2019 (UTC)

It's been that long ago I honestly can't remember.--2603:9000:6505:2B00:140C:B6EC:9937:798C (talk) 03:29, 6 December 2019 (UTC)

So step one, go think very long and hard about that. If you have your scratch codes you can proceed with the directions on the attached help page for disabling 2FA. If you failed to heed that important warning your only option is to go beg WMF Trust and Safety for a reset, this is not guaranteed. They can be emailed at cawikimedia.org. If they can not strongly authenticate you - your other option is to just create a new account and start over. — xaosflux ^Talk 03:35, 6 December 2019 (UTC)

As I'm using the same email address would it not be the same as it is on the app just now? I don't remember seeing it on the app on my other phone. I've tried generating new smart codes and no difference.--2603:9000:6505:2B00:140C:B6EC:9937:798C (talk) 03:43, 6 December 2019 (UTC)

You can never regenerate your scratch codes - you can only completely replace them and you can only do that once you are already logged in. 2FA has nothing to do with email addresses. You would have got the 2FA codes displayed on your computer screen one time only - when you enrolled. Please also note, noone on-wiki can do anything about resetting your 2FA status. — xaosflux ^Talk 03:47, 6 December 2019 (UTC)

No problem and thanks xaosflux for your help. I might have access to the other phone next week again so I'll try logging in then :)--2603:9000:6505:2B00:140C:B6EC:9937:798C (talk) 03:56, 6 December 2019 (UTC)

When setting up WebAuthn keys no scratch codes are presented, if this is intentional I think it should be explained in the article. FozzieHey (talk) 14:59, 8 August 2020 (UTC)

@FozzieHey: WebAuthn was sort of released to production with out much end user documentation - this page is really only about TOTP; I don't recommend anyone using WebAuthn at this point - will possibly add a note. — xaosflux ^Talk 03:02, 9 August 2020 (UTC)

I've made a couple of edits to add clarity. I had difficulty myself this evening with the scratch-codes, so i think the small additions will help other editors. @Xaosflux: you're probably watching this page but could you possibly do me a favour and check what i've added please? I don't want to advise other editors wrongly on this. Thank you, Zindor (talk) 21:10, 9 September 2020 (UTC)

Is there a 2FA app that runs with iOS? The one listed in the article (Authenticator app) requires iOS 12.2 or later. Surely there is an alternative. Hawkeye7 (discuss) 03:17, 13 May 2021 (UTC)

It seems pretty good. Doug Weller talk 18:58, 18 May 2021 (UTC)

@Doug Weller: I think this page grew from the "Simple" version of the help when less was more, Authy is listed at meta:Help:Two-factor_authentication - you could improve this with a list of other clients if you think it will help, though I suggest you declare the ones that are closed source as such. — xaosflux ^Talk 20:26, 18 May 2021 (UTC)

I ask because authy claims to "allow you to backup and sync your 2FA account tokens across multiple device and device types - phones, tablets and computers."[2]. If so, how do I switch from my current authenticator to authy? Disable 2FA first? Thanks. Doug Weller talk 19:09, 22 May 2021 (UTC)

@Doug Weller: you may set up multiple authentication clients, they have no knowledge of each other. Enrolling a client requires the initial secret - some clients will allow this to be shared back out; but if you need a new initial secret from us you will need to disable and re-enroll to generate it. — xaosflux ^Talk 19:38, 22 May 2021 (UTC)

@Xaosflux: thanks, I still have the initial secret. Are you saying I could, for instance, use two clients from my PC, each using my intial secret? If so there's nothing to stop me from experimenting with authy's claim to sync, I can just set it up with the initial secret on my PC and see if it syncs with my other devices registered with authy. Doug Weller talk 10:51, 23 May 2021 (UTC)

@Doug Weller: yes, for example with the initial secret I have 2 TOTP clients set up, one on a secure computer and one on a smartphone. There is no direct client<-->server communication in this, the only things the client uses is the initial secret and the time (i.e. there is no client key that is used with the server). That being said, the initial secret is quite vulnerable which is why it is suggested you don't actually store it. You can verify that your second client is working because it will be producing the exact same TOTP code as your first one. — xaosflux ^Talk 12:52, 23 May 2021 (UTC)

@Xaosflux: that's extremely helpful. Do I just set the one on my smartphone up the way I set up the one on my PC? And out of curiousity, which do you use? I'm replacing my hard disk Tuesday so I'll be starting fresh with no software except Word and Windows 10. Doug Weller talk 15:46, 23 May 2021 (UTC)

@Doug Weller: "how" you set them up is specific to the client, some want you to scan the QR code, some want you to type in the initial secret - that part is specific to each client. I've tried several the easiest ones were probably: On Android- Google Authenticator; On Windows- WinAuth. — xaosflux ^Talk 00:52, 24 May 2021 (UTC)

@Xaosflux: thanks, I'll try Google authenticator on my phone, keep Winauth on my PC. Doug Weller talk 13:25, 24 May 2021 (UTC)

To make a long story short, I lost access to my authenticator app on my old phone. The good news is that I still have access to my account (obviously), I still have my scratch codes, and I know my committed identity info. So, what's my best option here? Should I disable 2FA and use one of my scratch codes? Or should I try logging into a different browser with a scratch code? Or something else? I'd rather not guess and get locked out. Jauerback^dude?/_dude. 14:42, 22 September 2021 (UTC)

Looking more into this, it seems like disabling 2FA with a scratch code is the best option, so I don't need to try and enter in 2 scratch codes. Jauerback^dude?/_dude. 15:03, 22 September 2021 (UTC)

@Jauerback: yes, use a scratch code to disable 2FA, then you can set it up again from "scratch" :D — xaosflux ^Talk 17:02, 22 September 2021 (UTC)

Xaosflux, thanks for your help. I was able to get it working on my new phone. Jauerback^dude?/_dude. 19:09, 22 September 2021 (UTC)