Help talk:Two-factor authentication

Changing smartphone
Hi, I got a new smartphone, so how to scan a new QR code? This seems basic information, and it is not in the help page. Thanks, Yann (talk) 18:43, 16 May 2021 (UTC)
 * you will need to dis-enroll, then re-enroll. — xaosflux  Talk 20:49, 16 May 2021 (UTC)
 * Assuming you don't have a method with your TOTP client to "transfer" the secrets one way or another. — xaosflux  Talk 20:49, 16 May 2021 (UTC)


 * I'm in a similar situation — I got a new smartphone because the old one died. However, now I see that you cannot dis-enroll the old TOTP without entering the TFA code, which I can no longer do because the old smartphone died.  How do I activate TFA on the new phone? — Steven G. Johnson (talk) 22:19, 5 November 2021 (UTC)
 * you can login (looks like you already are) and unenroll from 2FA using your SCRATCH CODES (one time use per each). Then you can just reenroll and set up your new device. —  xaosflux  Talk 22:49, 5 November 2021 (UTC)
 * It would be awesome if this were made more clear on the help page itself, this is what I came here looking for and it made me very nervous that I was going to just be screwed and lose access to my account. I'm in the same boat, I had to trade in my phone because the screen broke, so there's no way to get a code from it. (now I have to find the other old device where I recorded the scratch codes....) Beeblebrox (talk) 18:03, 26 April 2022 (UTC)
 * @Beeblebrox does Help:Two-factor_authentication help? (The scratch code section has been updated to warn against storing scratch codes somewhere they may be hard to get previously). — xaosflux  Talk 18:26, 26 April 2022 (UTC)

In my opinion it is a bit dumb to lock 2FA for certain groups only?
What is the purpose for this? It is ironic that they encourage the usage of 2FA yet only allow it for certain users.

What is the drawback for allowing 2FA for everyone? Nothing.

And the fact that you have to request for 2FA is outrageus. You have to request to use 2FA? — Preceding unsigned comment added by H44dyss9900 (talk • contribs) 11:30, 31 May 2021 (UTC)
 * There is currently insufficient support resources for mass participation. — xaosflux  Talk 17:03, 22 September 2021 (UTC)
 * Bit of a late reply, but, I believe I read that there were some stability issues with failures in the extension that makes 2FA possible that has necessiated manual removal of it many a time, which is why it's locked to certain users. I hope this helps as well. Regards, User:TheDragonFire300. (Contact me &#124; Contributions). 06:16, 13 February 2022 (UTC)
 * Well something should be done about this. Then we should fix the issues with the 2FA plugin.
 * This problem shouldn't really be glossed over, it's very important to have a functioning 2FA, expecially on Wikipedia. H44dyss9900 (talk) 17:14, 29 April 2022 (UTC)
 * I know I'm a bit late to this conversation... it's 2023 now and the trend has swung even further towards MFA. Companies are getting kicked off of cyber insurance policies for having a few things without MFA, making them an unacceptable risk.  The idea that one of the most visited websites on the entire internet doesn't ALLOW someone to have MFA, or doesn't have a stable implementation yet, is ridiculous.  Not FORCING people to use it is rapidly becoming a huge no-no according to cybersecurity experts.  We should be ages past allowing it. T`swift`rocks (talk) 05:10, 16 February 2023 (UTC)
 * Long time anonymous reader of Wikipedia, just signed up for an account to maybe dabble in simple editing. I am shocked that this is not available to all accounts in 2023. I don't think I am signed up for any other service that actually doesn't even offer 2FA to the user at all. This is now a fundamental security requirement for anything you log into, just as important (if not more now) than a password. If there are problems with 2FA as stated above, perhaps fixing it should be a priority. That was almost a year ago. Boatvan (talk) 23:36, 15 April 2023 (UTC)

Frequency
Just curious, does 2FA increase the frequency of logins/password challenges? A normal user could potentially click "keep me logged in for 365 days" and not have to log in for a year. – Novem Linguae (talk) 18:34, 8 April 2022 (UTC)
 * It's the same. -- zzuuzz (talk) 20:06, 8 April 2022 (UTC)

About the ordering of the phone based 2FA apps
Currently there is a legacy 2FA app listed as the one called FreeOTP. FreeOTP is years old and hasn't been updated in a long time and has bugs.

I propose AndOTP and Authenticator are moved before FreeOTP. We also potentially could add Aegis Authenticator and Raivo OTP to the list as well. H44dyss9900 (talk) 06:57, 30 April 2022 (UTC)


 * Nvm actually the two authenticators I mentioned should be added to https://meta.wikimedia.org/wiki/Help:Two-factor_authentication instead.
 * But I do think we should put AndOTP and Authenticator before FreeOTP. Even though they are Android/IOS only. H44dyss9900 (talk) 07:03, 30 April 2022 (UTC)


 * So my suggestion is to change this to a table, make the default sort be alphabetical. Include columns: Name, License type, Last version/date, Android link(s), Apple link. Since we have MS Auth on here, prob should also include Google Authenticator too. — xaosflux  Talk 09:47, 30 April 2022 (UTC)


 * Something like this?

PAGE ]]) 23:01, 2 May 2022 (UTC)
 * --Ahecht ([[User talk:Ahecht|TALK
 * LGTM. — xaosflux  Talk 23:35, 2 May 2022 (UTC)

Was preferences page changed?
I'm a 2FA user and was just verifying something. The instructions here say to check whether 2FA is enabled at Special:Preferences under "Basic information". My UI has the 2FA feature setting under "User profile"; there is no "Basic information" tab. Maybe the preferences page changed since this was written? ☆ Bri (talk) 20:47, 1 February 2023 (UTC)


 * @Bri it was renamed, I changed it to use the system message here. — xaosflux  Talk 20:52, 1 February 2023 (UTC)

Woes
So, I got a new phone a few months ago. Apparently I should have done something with my 2FA app during the switchover, but here I am: the app is no longer recognizing me. All this has come to a head because in the last few days I got a new laptop, which is asking me for a 2FA to log into WP. So here I sit on the old computer -- which I'm supposed to have handed down to the hubs -- trying to figure out how to avoid not being able to log in next time I'm asked for an authentication code. Anyone have an idea of how I can fix this? I've already been in chat with the authentication app. They'll get back to me in 2 business days. I'm a little concerned that I could be asked to log in and won't be able to, and will have no way to prove to anyone that I am who I say I am. Valereee (talk) 19:47, 10 February 2023 (UTC)


 * @Valereee: Did you keep hold of those scratch codes — if so, you can use one when prompted, to remove 2FA from your account before switching over to your new phone. If you didn't hold on to them, you will need to contact Trust and Safety on ca@wikimedia.org — TheresNoTime (talk • they/them) 00:42, 11 February 2023 (UTC)


 * Oh, the scratch codes! I forgot all about them, but yes, I did, in multiple places. Thank you! That relieves my mind greatly lol! Valereee (talk) 13:54, 11 February 2023 (UTC)

WebAuthn support kinda poor
I just encountered T244088, "Logging in at another wiki than WebAuth was set up fails". It can be worked around (see meta:User:Bri.public/2FA issue), but makes WebAuthn somewhat clumsy. Two questions: 1) is this important enough to note on the help page and 2) does anybody else care? The bug was reported three years ago and is stalled. ☆ Bri (talk) 21:07, 20 February 2023 (UTC)


 * Feel free to put more warnings about the problems with WebAuthn in the Help:Two-factor_authentication section. I don't suggest anyone use it. — xaosflux  Talk 22:13, 20 February 2023 (UTC)

Authentication failed
I recently activated Two-factor authentication on my account. Now I struggle to sign in on new devices. The message I receive says something about “Authentication process was interrupted. Please start the authentication process agin” is there a way to turn on and off two-factor authentication or restart the authentication process on the account. I’ve tried to turn it off but get the same message.

If I’ve wrote this question on the wrong page please move it the where it belongs. -Bksm (talk) 16:56, 12 July 2023 (UTC)

Google Authenticator
Why is Google Authenticator not listed? It is by far the most popular (~1000x the download count of Aegis which is probably the most popular from the current list), it's made by a large company with a reputation of having very good security, it has an online backup option so switching phones is hassle-free. Tgr (talk) 17:37, 13 December 2023 (UTC)


 * @Tgr (some discussion in Help talk:Two-factor authentication/Archive 1) - short answer is that for the "recommended" application, a FOSS application was desired. I've added a link to Comparison of OTP applications on the page, that includes many more clients. — xaosflux  Talk 18:57, 13 December 2023 (UTC)
 * As it looks like Microsoft Authenticator has slipped in, I really have no objection to listing GAuth as another example so long as it isn't the 'recommended' one. — xaosflux  Talk 19:01, 13 December 2023 (UTC)
 * Personally I don't think this is the best place for FLOSS advocacy. It's good to have some FLOSS tools in the mix, for the (probably tiny) minority of users who do care about that. But the average editor will be much better served by a tool that has good UX, a cloud backup (so you don't lock yourself out if you lose your phone) and good enough security practices that the cloud backup won't get broken into. I haven't reviewed the list but I'd be surprised if there would be FLOSS tools which meet that bar. Tgr (talk) 07:38, 15 December 2023 (UTC)
 * I can vouch for Authy as a much better option than Google Authenticator or most of the listed ones - it allows cloud backups, which means you won't have to deal with the nonsense that often happens when your phone dies or is replaced. It also works on Android, iOS, Mac, Windows and Linux (and syncs between them, so again if you lose your phone its not a problem). I've been using it for a few years now, and had no issues. — Preceding unsigned comment added by The Wordsmith (talk • contribs) 22:11, 18 December 2023 (UTC)
 * As above, seems OK to add more that are useful. — xaosflux  Talk 18:58, 12 January 2024 (UTC)
 * Authy's desktop apps will be discontinued in August 2024. I oppose recommending Authy, as it has a highly questionable privacy policy and requires a phone number to sign up. Editors should not be recommended tools that expose much more of their personal information than Wikipedia itself does, particularly when there is a plethora of less intrusive options. —  Newslinger  talk   20:51, 12 January 2024 (UTC)
 * Authy gets a grade B on tosdr (which is not too bad, Wikipedia also gets a grade B) and at a glance doesn't seem to be doing anything surprising or untoward with personal data. Tgr (talk) 17:56, 13 January 2024 (UTC)
 * It's not clear to me how Terms of Service; Didn't Read grades these policies, but even the their summary of Authy's privacy policy shows many more issues than their summary of Wikimedia's privacy policy. Here are some of the issues ToS;DR lists that are unique to Authy:
 * Tracking via third-party cookies for advertising
 * The service can sell or otherwise transfer your personal data as part of a bankruptcy proceeding or other type of financial transaction
 * This service gives your personal data to third parties involved in its operation
 * You must provide your legal name, pseudonyms are not allowed
 * What ToS;DR completely misses (due to not being in its scope) is the fact that 2FA apps are very simple software products that do not need to collect any information from users other than the keys required to generate the verification codes. The following items that Authy collects (per Authy's privacy policy) are unnecessary for a 2FA service:
 * Phone number
 * "We use that phone number to identify you, to provide you 2FA services, and to maintain logs for security and anti-fraud purposes."
 * "If you change your phone number or email associated with your Authy account, we will also keep a log of that."
 * Login history, IP address history
 * "When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application you logged in to, that you logged in, and when. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if we suspect your account may be compromised."
 * Location history
 * "If you have location services turned on, we collect your location based on your IP address. We use this information for anti-fraud purposes, to check for suspicious activity and, again, as another piece of information we can use to verify your identity if we suspect your account may be compromised."
 * There are many 2FA apps that do not collect any of this personal information or share any data with third parties. 2FA apps do not need to monitor users for "anti-fraud purposes" to do their job. Authy collects too much data, which puts users at additional risk when there is a security incident like Authy's data breach in 2022. That is why I oppose recommending Authy. —  Newslinger  talk   19:29, 13 January 2024 (UTC)
 * It's not hard to see how these pieces of information could be useful for 2FA - the phone can be used as a fallback identification method in case of suspected account takeover, and the IP and location history can be used to detect such a takeover. Storing that data isn't that bad IMO as long as the data is not sold, and only passed to service providers who are under contractual restrictions to likewise not sell it (which seems to be the case).
 * The data breach is bad (AIUI it wasn't primarily about personal information, the attackers stole credentials that could be used to generate 2FA codes); this is a tradeoff in using a cloud service vs. a 2FA tool that isn't backed up. In the first case you risk your credentials getting stolen in ways you have no control over, in the second case you risk getting locked out of your account when you lose your device. Neither is ideal but IMO for the average user getting locked out is a bigger risk and has worse consequences. If you are a checkuser or interface admin, you might want to weigh the security side of the tradeoff higher.
 * (Then again if you use a strong unique password, even a stolen 2FA seed isn't really exploitable.)
 * To be clear I'm not arguing for Authy (I haven't done any research on it, nor the alternatives) but none of this sounds instantly disqualifying to me. Although in general I think larger options (like Google or Microsoft) are safer - such huge companies tend to spend more on security. Tgr (talk) 05:51, 16 January 2024 (UTC)

Misleading: Implies any user can request 2FA
The articles states "Any editor can improve their account security by using 2FA". It also says that "If you are not in [a group that has automatic access to 2FA], you need to submit a request". The issue is the page where you make a request is a semi-protected page on meta.wikimedia.org, so only users who have at least 5 edits on meta.wikimedia.org (not wikipedia) can make a request. The Elysian Vector Fields (talk) 02:30, 16 March 2024 (UTC)
 * Users without autoconfirmed status on Meta can request on the talk page (as you have done). That could be added to this help page. -- Ajraddatz (talk) 03:04, 17 March 2024 (UTC)