Help:Two-factor authentication/kaa

Shortcut:
H:2FA
Bul bette Wikimedia fondınıń wikilerinde eki faktorlı autentifikaciya túsindiriledi. Sonday-aq, usı funkciyanı qosatuǵın qosımsha hújjeti menen tanısıwıńız múmkin.

Wikimedia tárepinen eki faktorlı autentifikaciya (2FA) ámelge asırılıwı esabıńız qáwipsizligin bekkemlew usılı esaplanadı. Eger eki faktorlı autentifikaciyanı isleseńiz, hár sapar parolińizge qosımsha bir mártelik altı tańbalı autentifikaciya kodı soraladı. Bul kodtı smartfonıńızdaǵı yamasa basqa autentifikaciyalawshı qurılmadaǵı qosımsha beredi. Dizimge kiriw ushın paroldi biliwińiz hám kodtı payda etiw ushın autentifikaciya qurılmasına iye bolıwıńız kerek.

Tásirlengen esaplar

Wikimediada eki faktorlı autentifikaciya házirgi waqıtta eksperimental hám qálewli túrde ámelge asırıladı (ayırım jaǵdaylardan tısqarı). Dizimge alıw ushın házirgi waqıtta administratorlar (hám interfeys redaktorları sıyaqlı admin sıyaqlı ruxsatlarǵa iye bolǵan paydalanıwshılar), byurokratlar, checkuserler, oversighters, stewards, edit filter managers hám OATH-testers global toparı menen islep shıǵarıwdı sınaqtan ótkeriwde (oathauth-enable)d access| talabı qoyıladı.

Paydalanıwshılar toparların májbúriy paydalanıw

Eki faktorlı autentifikaciyanı qáliplestiriw

  • $oathauth ruxsatına iye bolıw (ádettegi tártip boyınsha, administratorlar, byurokratlar, suppressorlar, paydalanıwshılardı tekseriwshiler hám basqa da artıqmash paydalanıwshılar toparları ushın)
  • Waqıtqa baylanıslı bir mártelik parol algoritmi (TOTP) klientine iye bolıw yaki onı ornatıw. Kópshilik paydalanıwshılar ushın bul telefon yamasa planshettegi qosımsha boladı. Hár qanday muwapıq qosımshalardan paydalanıw múmkin, ayırımları keń tarqalǵan:
    • Open-source: Aegis (Android, F-Droid), FreeOTP (Android, F-Droid, iOS), 2FAS (Android, iOS), Bitwarden Authenticator (Android, iOS), Authenticator (iOS), Authenticator.cc (Chrome, Firefox & Edge), Passman (NextCloud), KeePassXC (Linux, macOS, Windows)
    • Jabıq derek: Google Authenticator (Android, iOS) hám kópshilik iri texnologiyalıq firmalardıń autentifikator qosımshaları
    • 2FA (inglisshe Wikipedia) ushın TOTP klient sıpatında paydalanıw múmkin bolǵan kóplegen ulıwma OTP qosımshaların ulıwma salıstırıw
    • Sonday-aq, siz OATH Toolkit (Linux, macOS via Homebrew) yamasa WinAuth (Windows) sıyaqlı kompyuter klientinen paydalanıwıńız múmkin. Yadta saqlań, eger siz TOTP kodlardı payda etiw ushın paydalanılǵan kompyuterden kirseńiz, bul usıl hújimshi siziń kompyuterińizge kirgen jaǵdayda siziń akkaunttı qorǵamaydı.
    • Password managers such as Bitwarden, KeePass and Proton Pass also tend to support/have plugins to support TOTP. This bears the same limitations as the above, but may be worth looking into if you already use one for other things.
      Eki faktorlı autentifikaciyanı ámelge asırıw ushın parametrler bólimine sholıw
  • Go to Special:OATH on the project you hold one of the above rights on (this link is also available from your preferences). (For most users, this will not be here on the meta-wiki.)
  • Special:OATH presents you with a QR code containing the Two-factor account name and Two-factor secret key. This is needed to pair your client with the server.
  • Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
  • Enter the authentication code from your TOTP client into the OATH screen to complete the enrollment.

Logging in

Login screen
  • Provide your username and password, and submit as before.
  • Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds. If your code keeps getting rejected, check that the time on your device where your auth app is installed is correct.

Keep me logged in

If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing browser cookies will require a code on your next login.

Some security sensitive actions, such as changing your email address or password, may require you to re-authenticate with a code even if you chose the keep-me-logged-in option.

API access

Two-factor authentication is not utilized when using OAuth or bot passwords to log in via the API.

You may use OAuth or bot passwords to restrict API sessions to specific actions, while still using two-factor authentication to protect your full access. Please note, OAuth and bot passwords can not be used to log on interactively to the website, only to the API.

For example, tools like AutoWikiBrowser (AWB) do not yet support two-factor authentication, but can use bot passwords. You may find further information on how to configure this.

Disabling two-factor authentication

Unenrolling
  • Go to Special:OATH or preferences. If you are no longer in groups that are permitted to enroll, you can still disable via Special:OATH.
  • On the disable two-factor authentication page, use your authentication device to generate a code to complete the process.

Recovery codes

OATH example recovery codes

When enrolling in two-factor authentication, you will be provided with a list of ten one-time recovery codes. Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device. It is important to note that each of these codes is single use; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.

Disabling two-factor authentication without an authentication device

This may require two recovery codes: one to log in, and another to disable. Should you ever need to use any of your recovery codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.

Recovering from a lost or broken authentication device

If you have an existing 2FA device which has simply stopped generating the correct codes, check that its clock is reasonably accurate. Time-based OTP on our wikis has been known to fail with 2 minutes difference.

Eki faktorlı autentifikaciyadan shıǵıw ushın dizimnen ótiw waqtında sizge usınılǵan tiklew kodlarınan paydalanıwıńız kerek boladı. Bunı ámelge asırıw ushın sizden ekige shekem tiklew kodlarınan paydalanıw talap etiledi:

  • Siz dizimnen ótiwińiz kerek. Eger esapqa kirmegen bolsańız, bul ushın tiklew kodınan paydalanıw kerek boladı.
  • Eki faktorlı autentifikaciyanı óshiriw ushın Special:OATH arqalı basqa tikleniw kodınan paydalanıń.

If you don't have enough recovery codes, you may contact Trust and Safety at ca(_AT_)wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on Phabricator if you still have access to it. Please note, 2FA removal by staff is not always granted.

See wikitech:Password and 2FA reset#For users for instructions on requesting 2FA removal for your Developer account.

Web Authentication Method

Please note, most of the directions on this page are specific to the TOTP method. The WebAuthn method is more experimental and currently has no recovery options (cf. related developer task). WebAuthn has a known issue that you must make future logons on the same project that you initiate it from (tracking task). WebAuthn is not currently available for use via mobile apps (T230043).

Sonday-aq qarań

Category:User groups/kaa#Two-factor%20authentication/kaa Category:Security/kaa Category:Handbook Wikimedia-specific
Category:Handbook Wikimedia-specific Category:Security/kaa Category:User groups/kaa