Two-factor authentication is a form of multi-factor authentication that can be used to provide additional security for your account in the event that it is compromised. If enabled, you will need two things to log in to your account:
- Something you know. This would be your usual password.
- Something you have. This would be a phone or a mobile device that you own.
With two-factor authentication enabled, even if a hacker were to gain access to your password, they still wouldn't be able to get into your account unless they also managed to get your mobile device. This added step can drastically improve your account security and make it much harder for it to be compromised.
Two-factor authentication is not a replacement for good account security practices, nor is it a replacement for having a strong password. Two-factor authentication should be your last defense against an attack, not your first. See Help:User account security for more things you need to do in order to keep your account safe.
Enabling two-factor authentication[edit source]
To enable two-factor authentication, follow the steps below.
- Download a TOTP app to your mobile device. There are plenty of these apps for both Android and iOS. Recommended options include:
- Google Authenticator, a basic but effective 2FA app, available for both Android and iOS.
- FreeOTP, a free and open source 2FA app, available for both Android and iOS.
- Authy, a 2FA service that allows tokens and codes to be synced across devices, available for Android, iOS, and desktop (phone number needed for registration).
- LastPass Authenticator, a 2FA service that also has cloud-sync functionality, available for Android and iOS (free LastPass account required).
- andOTP, a free and open source 2FA app available for Android.
- Authenticator, a free and open source 2FA app available for iOS.
- Go to Special:Two-factor authentication.
- Add your account to the 2FA app. This is usually done by scanning the QR code provided on the screen using your 2FA app (the app may ask you to grant permission to use your device's camera first). Point your device's camera at the QR code as if you were taking a picture of it, and the app will automatically add the account once it sees it.
- If for some reason you're unable to scan the QR code, you can alternatively enter the secret key into the app manually to add your account.
- Once you've successfully added your account, the app should now start displaying a six letter code on the screen, along with a countdown timer. The codes will change once that timer runs out.
- Write down the scratch codes provided on the screen. This is important—if for some reason your 2FA app doesn't work or if you've lost access to it, these will be the only ways of regaining access to your account. Make sure you write all of them down and store them somewhere secure. These codes will never be shown again after this step!
- All set? Enter the six digit code your phone gives you into the text box at the bottom of the page and click Submit.
Logging in[edit source]
When you log in with two-factor authentication enabled, you will need to provide your username and password like normal. After doing so, you will be taken to an additional confirmation step where you will be asked to enter a six digit code generated by your phone.
- Open the 2FA app that you used to set up two-factor authentication on your account.
- Enter the six digit code, without spaces, into the field as prompted. These codes change every thirty seconds, so if the code expires or is about to expire while you're typing it in, you will need to type in the latest one instead.
Once you've entered the six digit code, click "Continue login" and you will be logged into your account like usual.
Keep me logged in[edit source]
If you select this field when first entering your username and password, you won't have to enter an authentication code when using the same browser, as you will remain logged in to your account. Don't check this option if you're using a public computer! If you log out or clear your browser cookies, you will need to enter an authentication code when you log back in.
Some security-sensitive actions, such as changing your email address or password, will require you to enter your username, password, and authentication code even if you chose the "Keep me logged in" option.
API access[edit source]
Some tools, like AutoWikiBrowser, may fail to log in when attempting to use an account with two-factor authentication enabled on them. In these cases, you must use either OAuth or bot passwords to log in to your account if you have two-factor authentication enabled, as these two login methods don't utilize two-factor authentication.
Note that neither OAuth nor bot passwords allow a user to log in using the website, only to the API. As such, these login methods are only for programs that use the API to do their work.
Adding multiple devices[edit source]
If you would like to add multiple devices to your account, you must register all of them at the same time when you set up two-factor authentication. For example, if you have two mobile devices and would like to be able to use either of them to log into your account, scan the QR code or enter the secret key on both of the devices before entering the six-digit verification code to finalize setup.
If you have already set up two-factor authentication on your account and would like to add more devices, you must first disable two-factor authentication on your account and then set it up again.
Additionally, you can use Authy when setting up two-factor authentication, which will allow you to sync the TOTP tokens to multiple devices. This also has the benefit of allowing you to continue generating codes for your account even if you lose the device you initially used to set up two-factor authentication with.
Scratch codes[edit source]
When setting up two-factor authentication, you will be given a list of ten scratch codes. These codes can be used during the verification code step after logging in if you lose access to the mobile device you used to set up two-factor authentication, if your 2FA app got uninstalled or reset, or if the codes your phone is generating aren't working and you've been unable to resolve that problem. These codes only work once, so once you use a code, that code can never be used again. Scratch codes are never shown again after you've set up two-factor authentication, so make sure you write them down somewhere!
Here are a few things to keep in mind when using these scratch codes:
- Don't keep them on your smartphone. If you lose access to your phone, you'll lose access to these codes, and thus lose access to your account. Write them down on a piece of paper or sticky note and place them somewhere secure, like a file cabinet (don't just stick them onto your monitor in plain sight!).
- Always make sure you have at least two. If you need to disable two-factor authentication after losing your mobile device, you will need two scratch codes to disable it: one to log in, and one to disable. If you have two scratch codes left, it is best to disable two-factor authentication and then set it up again in order to generate a fresh batch of codes.
- You still need your password to log in. You can't use a scratch code alone to get into your account. Think of these scratch codes as the same kinds of codes your 2FA app generates, except that instead of expiring after a period of time, they expire when they're used. If you've forgotten your password, see Help:Reset password.
Disabling two-factor authentication[edit source]
You can disable two-factor authentication at any time if you still have the 2FA app needed to access your account. If you are not able to do this, see Can't get into your account?.
- Go to Special:Two-factor authentication.
- Enter your six digit code to verify.
Once this is completed, two-factor authentication will now be disabled for your account. You can set it up again at any time if you'd like.
Can't get into your account?[edit source]
Although two-factor authentication is being used on virtually all major websites in the world, there are still some downsides to it that can result in you getting locked out of your own account.
My codes aren't working![edit source]
Two-factor authentication is a time-based system, so both your mobile device and the web server need to have the same clocks in order for this to work. If your codes aren't working, there is a chance that your device's clock is out of sync. Most modern devices are able to automatically keep their clocks in sync to keep this from happening.
- For Android: Go to Settings → System → Date & time, then make sure "Automatic date & time" is enabled.
- For iOS: Go to Settings → General → Date & Time, then make sure "Set Automatically" is enabled.
Google Authenticator users: There is also an option within the app to sync the app's clock with Google's servers. You can do this by opening the app, tapping ⋮ at the top-right corner of the screen, tapping "Settings", "Time correction for codes", and then "Sync now".
If none of these solutions work, try using a scratch code to get into your account. If that works, use a second scratch code to disable two-factor authentication and try setting it up again.
I lost my phone/my phone got reset/I uninstalled the 2FA app[edit source]
You will need to use a scratch code to get back into your account, and then another to disable two-factor authentication.
I ran out of scratch codes, or my scratch codes aren't working[edit source]
If you've used up all of your scratch codes or if the ones you've used aren't working, only Miraheze Staff can recover your account at this point by disabling two-factor authentication on your account. They will only do this if they are 100% certain that you are the rightful owner of the account. There are two ways you can do this:
- If you set up a committed identity, you can send your secret string to staff via email and they will be able to prove your identity.
- If you frequent IRC and talk with staff regularly or are verified on the Miraheze Discord server, you can use these venues to prove that you're the same person.
If you are not able to satisfy these requirements or if staff decline your request, it will be impossible to turn off 2FA at this point, and you will unfortunately need to create a new account.