Help talk:Two-factor authentication

Learn more about this page

This page is for discussions related to the Help:Two-factor authentication page.

Please remember to:

Sign posts using the four tildes (~~~~)
Remain civil and polite during discussions.
Place new text under old text (start a new post).

For older conversations you can see the archive index.

Please report bugs and feature requests at Wikimedia Phabricator (direct create task link).

SpBot archives all sections tagged with {{Section resolved|1=~~~~}} and sections whose most recent comment is older than 15 days. For the archive overview, see Help talk:Two-factor authentication/Archives.

Two-factor authentication must not be mandatory

Latest comment: 5 days ago4 comments4 people in discussion

Two-factor authentication is still a beta feature that should not be mandatory for any user category. Please solve problems before requiring it mandatory. When activated entering password is mandatory each time I go to any page, login procedure need to be repeated after idle time of 5 minutes (not configurable). There is more login actions than edit actions.

-- ◄ David L • talk ► 17:13, 30 March 2025 (UTC)Reply

If you are having to log in every 5 mins or when you change pages, that should have nothing to do with 2FA. Ensure you are allowing cookies, and not blocking SUL3 via auth.wikimedia.org. — xaosflux ^Talk 17:44, 30 March 2025 (UTC)Reply

Hi @DavidL: Are you still experiencing this problem, or is it fixed for you?

If it is not fixed yet, please confirm if you have tried the process of: (1) logging out, (2) then clearing your browser cookies (at least for the *.wikimedia.org and *.wikibooks.org domains), (3) and then logging back in. Thanks. Quiddity (WMF) (talk) 17:26, 31 March 2025 (UTC)Reply

@DavidL 2FA has been mandatory for interface admins since 2018 [1] for security purposes. It's concerning if you didn't follow the policy until now (or are there suddenly issues which didn't occur before?). Johannnes89 (talk) 17:58, 31 March 2025 (UTC)Reply

2FA increases the risk of losing account

Latest comment: 4 days ago2 comments2 people in discussion

Without 2FA, a strong and unique password is all I need to focus on to keep my account secure. The account security (on user's end) relies only on the existence of my life and memory, not any personal device or password paper. If my computer were stolen, just switch to another computer and change the password, and everything would be fine.

2FA increases the risk of users losing control of their accounts. To prevent that, I have to either remember the TOTP secret, or back up the scratch codes to multiple locations and keep them secret from others in the meanwhile. Both are challenging.

I hope the Foundation can reconsider the recent enforcement of 2FA for interface administrators. 2FA may make accounts more secure for ordinary users, but not for security nitpickers like me, who are more likely to apply for interface administrators. Lt2818 (talk) 12:54, 1 April 2025 (UTC)Reply

Additional 2FA factors are being explored. I expect that with more 2FA support enforcement and requirements may increase, not decrease. — xaosflux ^Talk 13:24, 1 April 2025 (UTC)Reply

Add topic