|
What is conveyed here is merely an informative guide on 2FA with the context of the English Wikivoyage and is not a policy or guideline. |
Two-factor authentication (2FA) is a security method that requires users to verify their identity through two distinct steps before accessing their Wikimedia account. Without it, breaking into your account is often trivial should your password be compromised, and possible anyway by trying many passwords.
In theory, 2FA combines a user's password with something you have physically (such as your mobile phone or a passkey). While there are ways to get around that for most schemes, an attack just trying a list of passwords won't succeed. The drawback is that you will need the selected device for logging in, and if it is lost or broken, there will be hassle.
As a backup, to get back access to your account, you will get a list of codes to write down and keep safe. As a last resort, you may also email [email protected] with your registered email. You can use multiple authentication apps or passkeys as your second factor (though you'll rarely need more than one, other than as a backup). Many of the apps allow your exporting your setup, so that you can keep a backup and import it on a replacement device.
While some sites that use 2FA allow using it through text messages to your phone, this is insecure, as phone numbers can be temporarily rerouted by advanced attackers. It is not an option on the WMF projects.
This page does not cover the process of implementing 2FA – see the relevant pages on Meta-Wiki or the English Wikipedia for how to implement 2FA. Rather, it aims to cover what it is and more enwikivoyage-specific nuances of 2FA that neither the Meta-Wiki nor the English Wikipedia pages cover. See also w:Multi-factor authentication#Security weaknesses for some caveats.
Before December 2025, most users did not have the means to enable 2FA and use of the feature was limited to only those with advanced permissions and template editors. This is no longer the case, and all users can now enable 2FA via Special:Preferences (see relevant initiative on mediawiki.org for more information).
Although it is encouraged to enable 2FA to maximise account security for advanced rights holders, it is not required for most permissions, including sysop and bureaucrat. The only local groups that require it are interface administrators and checkusers, who are mandated to enable 2FA as per WMF policy. Additionally, from June 2026, bureaucrats will also need to enable 2FA.
There are global groups and permissions (such as global sysop and steward) that also mandate 2FA. From mid-2026, users in these groups without 2FA will be automatically removed from this group. Bureaucrats, who previously would have needed to manually verify, no longer need to do this; the system will simply prevent the addition of such usergroups to a user with no 2FA enabled.
Before enabling 2FA, make sure that you understand what you need to log in, and that you are sure that you can recover if you, e.g., lose the device coupled with the authentication.