Help:Two-factor authentication - Meta-Wiki
Jump to content
From Meta, a Wikimedia project coordination wiki
Translate this page
Other languages:
Bahasa Indonesia
Bahasa Melayu
Esperanto
Ghanaian Pidgin
Hausa
Igbo
Kiswahili
Kreyòl ayisyen
Nederlands
Qaraqalpaqsha
Sunda
Tiếng Việt
Türkçe
asturianu
azərbaycanca
dansk
interlingua
italiano
lietuvių
magyar
norsk bokmål
polski
português
português do Brasil
română
suomi
svenska
čeština
беларуская
беларуская (тарашкевіца)
русский
српски / srpski
українська
עברית
العربية
سنڌي
فارسی
کوردی
नेपाली
मराठी
हिन्दी
বাংলা
ગુજરાતી
தமிழ்
ಕನ್ನಡ
മലയാളം
ไทย
ქართული
ᱥᱟᱱᱛᱟᱲᱤ
中文
한국어
Help pages
Two-factor authentication (2FA) help
Shortcut
2FA
This page explains how two-factor authentication (2FA) works on Wikimedia projects. 2FA strengthens the security of your user account by requiring more than just a password to access your account. Wikimedia projects allow you to use authenticator apps and security keys to access your account.
When to use two-factor authentication (2FA)
Because 2FA provides increased account security, it is especially important for users with extended rights. In 2025, the Wikimedia Foundation started requiring 2FA for
some of those user groups
. See the
Account security project page
for details.
As of December 2025, 2FA is available to all registered users on the Wikimedia projects.
Available authentication methods
Authenticator apps
Authenticator apps
are usually phone or tablet apps, or may be included in password managers. They generate a verification code that you use to verify your login. Example authenticator apps include
Google Authenticator
Microsoft Authenticator
1Password
, and
FreeOTP
. To find an authenticator app for your device and operating system, see English Wikipedia's
comparison of common OTP applications
If you don't have a phone or tablet to use for 2FA, you can
use an app on your desktop or laptop
, though this is less secure.
Security keys
Security keys
are usually external hardware devices that you connect to your primary device to verify your login. Example security key brands include
YubiKey
Nitrokey
, and
Titan Security Key
. The Wikipedia mobile apps don't support security keys, so you should add at least one authenticator app if you plan to log in through one of the Wikipedia mobile apps.
Passkeys
Passkeys
are a simpler and faster way to log in: they don't require a second authentication device, like a security key or an app on your phone. Instead, passkeys are stored on your device or in your password manager, and they enable you to complete verification using your fingerprint, face scan, or with a PIN code.
Before you can add a passkey, you must first set up one of the other 2FA methods.
Enable two-factor authentication
To enable 2FA for your account, you must be able to log in with your password, and have a second authentication method available to set up.
To enable 2FA for your account:
Go to
Special:AccountSecurity
. You can also access the same page from a link in your
preferences
Select the option to add an
authenticator app
or
security key
, then follow the steps to set it up.
Download and save or print your recovery codes.
(Optional) After you enable 2FA with an authenticator app or a security key, you can then add a
passkey
WARNING: When you enable 2FA, you receive a list of
recovery codes
Print or download those codes and store them in a safe place.
If you lose your device, or have a problem with your authenticator app, you need these codes to regain access to your account.
Register multiple authenticator apps or security keys for your account by repeating the steps above.
Log in with two-factor authentication
First, log in with your username and password. Your second step depends on the authentication methods you registered:
If you're using an
authenticator app
: Enter the verification code provided by the app. Note: This code changes about every thirty seconds. If your codes don't work, see
Troubleshooting
If you're using a
security key
: Follow the prompts from your web browser. If you registered both a security key and an authenticator app, the system asks for the security key first, but you can choose to enter a verification code instead. Note that the Wikipedia mobile apps don't support security keys; you must have a registered authenticator app to log in with 2FA through one of the Wikipedia mobile apps.
If you're using a
passkey
: Follow the prompts on your device to complete verification using your fingerprint, face scan, or PIN code.
Disable two-factor authentication
Go to
Special:AccountSecurity
Select an authentication method and click the button to remove it.
To fully disable 2FA, repeat the removal process for all your authentication methods.
If you fully disable 2FA, your recovery codes are automatically deleted.
To disable 2FA if you lost your device and the wiki automatically logged you out: see
Troubleshooting
If you can't disable 2FA because you lost access to your authentication device
and
recovery codes, you can attempt to recover access by
asking WMF’s support desk to remove 2FA from your account
Manage your recovery codes
When you enroll in 2FA, you receive a list of ten recovery codes.
Print or download those codes and store them in a safe place.
If you lose access to your authenticator apps or security keys, you will need these codes to regain access to your account.
Each recovery code is
single use
: after you use it once, it is no longer valid. If you use a code, go to
Special:AccountSecurity
and generate a new set of codes, so you don't run out.
Related login options
Passkeys and passwordless login
Users who have added a passkey can now log in without entering their username or password (passwordless login). Clicking in the username field will display their passkey as an option to log in with.
To add a passkey:
Follow the instructions on this page to enable 2FA with a security key or an authenticator app.
After you enable 2FA, visit
Special:AccountSecurity
and click the button to add a passkey. If the button is inactive, see
Troubleshooting
The next time you log in, your device will show the passkey as an autofill option in the username field. Clicking this option will log you in immediately, without entering your username and password. Alternatively, you can enter your username and password as usual, and your device will prompt you to use your passkey for 2FA.
Login verification by email
If you don't enable 2FA, some of your login attempts may require
email verification
. This type of verification requires you to enter a code sent to the email address associated with your wiki account. You can't opt out of this security feature, which protects user accounts from unauthorized access. However, if you enable 2FA, you won't be asked for email verification since 2FA is a stronger level of protection.
Access for tools and bots
Enabling 2FA for your user account may impact your ability to log in to bot accounts or tools. Use
OAuth
or
bot passwords
to restrict API sessions to specific actions, while still using 2FA to protect access to your main user account.
For example, tools like
AutoWikiBrowser
(AWB) don't support 2FA, but can use bot passwords.
Troubleshooting
Verification code doesn't work
If you have an existing 2FA device which has stopped generating correct codes, check that its clock is accurate.
Time-based one-time password (TOTP)
on Wikimedia wikis may fail due to a time difference of just 2 minutes.
Lost access to device or authenticator app
If you still have access to any device or authentication method you registered for 2FA, use that to log in.
If you no longer have access to any of your authentication methods, use one of your recovery codes: on the two-factor login page, instead of entering a code from your authentication device, click the button to use recovery codes. Enter one of the codes you downloaded when you enabled 2FA.
The Wikipedia mobile apps don't have a separate interface to enter recovery codes. Instead, input a recovery code the same way you would a verification code from your authenticator app.
After you successfully log in, register a new 2FA method before you
disable
the ones associated with your lost device.
Lost or unavailable recovery codes
If you don't have recovery codes and are unable to complete two-step authentication, you can attempt to recover access by asking the Wikimedia Foundation (WMF) support desk to remove 2FA from your account.
You should only make this request as a last resort; WMF doesn't guarantee account recovery in this situation.
To file a support request:
Send an email to ca
wikimedia.org to request removal of 2FA from your account. Send the email using the email address associated with your wiki account.
If you have access to
Phabricator
, you can also file a ticket there to help WMF staff confirm your identity.
If your request is approved and 2FA is removed from your account: log in using only your password, and set up two factor authentication again.
If you can't log in to your
Developer account
, see
the documentation on wikitech
for instructions on how to request 2FA removal.
Switch to a new device
If you got a new phone or want to use a different device for 2FA, add your new device before you remove your old one:
Log in using your old device for 2FA. If you lost your old device, use a recovery code to complete verification.
Use your new device to
enable
one or more authentication methods.
Remove
the authentication methods associated with your old device.
Cannot add a passkey because button is inactive
To use passkeys, you must first
enable 2FA with a security key or an authenticator app
. If you have already enabled 2FA, and the button to "Add a passkey" on
Special:AccountSecurity
is gray or inactive, you may be using an incompatible browser or operating system. To use passkeys, you must use one of the following options:
Use an operating system with a built-in password manager, like Windows (Windows Hello) or macOS (iCloud Keychain).
Use password manager in your browser, like Google Password Manager in Chrome.
Install a third-party password manager that can handle passkeys (like 1Password, Bitwarden, or LastPass).
If you don't have any of those options installed, or if you use an old version of your browser or operating system, you cannot use passkeys, and the button will be grayed out for you.
This is most commonly an issue for users of Firefox on Linux. Neither Firefox nor Linux has a built-in password manager, so the only way users of Firefox on Linux can use passkeys is by installing a third-party password manager, like 1Password, Bitwarden, or LastPass.
Enable 2FA on desktop and laptop computers
If you don't have a separate device to use for 2FA, you can use apps like
WinAuth
Authenticator
, and
KeeWeb
to handle 2FA tokens on many computers. This is the recommended way to enable 2FA if you don't have a smartphone or tablet computer.
If you currently use a password manager, check whether it supports 2FA. (Your password manager may also refer to 2FA as "OTP" or "TOTP".) Using your current password manager for 2FA is easier than setting up a new 2FA app.
Note:
If you normally edit with your desktop computer, using a desktop 2FA app is slightly less secure than
using a mobile 2FA app
, as someone with access to both your computer and your password would still be able to log in to your account.
See also
Known bugs and requested improvements
for Wikimedia's 2FA implementation
OATHAuth
: the MediaWiki extension used for 2FA functionality
Wikimedia account security and 2FA enforcement details
Retrieved from "
Categories
Security
Handbook Wikimedia-specific
Help
Two-factor authentication
Add topic
US