Secure login is elementary for web applications. Especially for administrators with additional rights, it must be ensured that no one else gains unauthorized access to wikis, especially if these wikis are accessible via the web. Two-factor authentication (2FA) has become established as an additional method to normal login and many hosters now offer it for their applications. For MediaWiki this feature has been updated. – Dejan Savuljesku and Richard Heigl
What is two-factor authentication?
The German Wikipedia describes briefly and concisely what is meant by two factor authentication:
“Two-Factor Authentication (2FA) refers to the proof of identity of a user by means of the combination of two different and, in particular, independent components (factors). Typical examples are bank card plus PIN at ATMs, fingerprint plus access code in buildings, or passphrase and TAN in online banking. Two-factor authentication is a special case of multi-factor authentication.”
Two-Factor Authentication for MediaWiki
How does this work in MediaWiki?
TOTP (time-limited one-time password)
If you want to provide two-factor authentication for your MediaWiki, you need the OATHAuth extension. This extension implements TOTP (time-limited one-time password) authentication. It adds an additional step in the login procedure, which requires a user, in addition to entering password, to enter a token generated by a TOTP capable provider device. Such a device may be a standalone physical token generator, or for example, an application on a smartphone. This token is generated according to the Time-based One-time Password Algorithm (OATH-TOTP) according to RFC 6238.
Once the extension has been installed and configured on the server side, the service can be used.
Easiest way for users to set up TOTP authentication, is to download an app for their smartphone or a desktop client that will provide the tokens. At Wikipedia you can find a list of clients and apps that can be used for this.
Once the user decides to enable TOTP authentication, they will need to register it with their token provider, by entering the secret code that will be used for future token generation. Devices equipped with a camera can use the QR code provided to speed up and simplify the registration process.
Once the wiki is registered with the token provider, user, when logging in, can enter the token that is generated in order to complete the login process.
WebAuthn (Web Authentication)
WebAuthn is a modern web protocol for Two-Factor authentication. It can be used with MediaWiki, through extension WebAuthn. This extension builds on top of OATHAuth extension, so it is required as well.
WebAuthn allows registering a number of modern hardware identity providers as the second factor of the authentication process. Some of the devices that can be used are biometric devices commonly found on modern smartphones (fingerprint reader, face recognition…), bluetooth or NFC devices. Users can also use standalone devices designed for this purpose specifically, which are usually USB keys, commonly labeled as FIDO2 keys.
In order to use WebAuthn capable devices, users must first register the hardware device they want to use. Users can register multiple authentication devices to their account, and use any of them to confirm the login.
WebAuthn functionality is realised in the browser, so its availability depends on the browser user is using. Older browsers do not support this functionality and cannot be used to complete the login using WebAuthn.