- The following contains content adapted from the Wikimedia documentation.
Nookipedia's implementation of two-factor authentication (2FA) is a way to strengthen the security of your account. If you enable two-factor authentication, you will be asked for a one-time six-digit authentication code every time in addition to your password. This code is provided by an app on your smartphone or other authentication device. In order to log in, you must know your password and have your authentication device available to generate the code.
Two factor authentication is currently available to all user accounts, and is required for users with bureaucrat permissions. You can set up two factor authentication by visiting Special:OATHManage. The following instructions provide more details regarding the process.
Enabling two-factor authentication
- You must have or install a Time-based One-time Password Algorithm (TOTP) client. For most users, this will be a phone or tablet application. If you have never used a TOTP client before, Google Authenticator is frequently considered to be the easiest to set up. Commonly recommended apps include:
- You must then go to Special:OATHManage to enable 2FA for your account.
- You will be presented with a QR code which will need to be scanned by your chosen TOTP client.
- You will also be shown a list of scratch codes, which must be saved somewhere secure and private.
- These codes are the only way to regain access to your account should you lose access to your TOTP device.
- Your scratch codes will only be shown to you one time, and Nookipedia does not have a way to regenerate them for you at a later time.
- Provide your username and password, and submit as before.
- Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds, so you will need to enter it quickly.
Keep me logged in
If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing the browser cache will require a code on your next login.
Some security-sensitive actions, such as changing your email address or password may require you to re-authenticate with a code even if you chose the keep-me-logged-in option.
Two-factor authentication is not required when interacting with the MediaWiki API using bot passwords.
Disabling two-factor authentication
- Go to Special:OATHManage and click the 'Disable' button next to 'TOTP'.
- On the disable two-factor authentication page, use your authentication device to generate a code to complete the process.
When enrolling in two-factor authentication, you will be provided with a list of ten one-time scratch codes. Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device. It is important to note that each of these codes is single use; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.
Disabling two-factor authentication without an authentication device
This may require two scratch codes: one to log in, and another to disable. Should you ever need to use any of your scratch codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.
Recovering from a lost or broken authentication device
If you have an existing 2FA device which has simply stopped generating the correct codes, check that its clock is reasonably accurate. Time-based OTP has been known to fail with 2 minutes difference.
You will need access to the scratch codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use either one or two scratch codes to accomplish this:
- You need to be logged in. If you are not already logged in, this will require use of an extra scratch code. (2 total)
- Visit Special:OATHManage and use a different scratch code to disable two-factor authentication.
If you don't have enough scratch codes to accomplish this, you may contact Nookipedia Support at firstname.lastname@example.org to request removal of 2FA from your account (please send the email using your registered email address of your wiki account). Please note, 2FA removal by staff is not always granted.