2FA, or two-factor authentication is a way of adding additional security on your account. The first "factor" is your usual password that is standard for any account, the second is a code retrieved from an external device such as a smartphone, or a program on your computer. It is conceptually similar to a keycode device you may have to use when logging into internet banking.

The technical name for this is "Time-based One-time Password Algorithm", but as its acronym is the same as a popular music show featuring Jimmy Savile, we won't be using that here.

On the English Wikipedia, the following groups can use 2FA:

• Bureaucrats
• Administrators
• Checkusers
• Oversighters
• Edit Filter Managers

You'll already know if you're in one of these groups, as you'll have asked for access. If you don't recognise any of these terms, you probably can't use 2FA. Note that users with sysop rights on other projects, including test wikis hosted by Wikimedia, can also enable 2FA from those projects.

It is really important for users with advanced rights to keep their account secure. In November 2016, a number of Wikipedia administrators (including the founder, Jimbo Wales) had their accounts compromised, which were then used to vandalise the encyclopedia. As well as causing widespread disruption, the affected administrators' accounts were locked so they couldn't do anything until it was beyond doubt they had regained control.

1. Download a 2FA app onto your smartphone. Some options include:
   • freeOTP by Fedora (iOS, Android) – open source
   • Authy
   • Google Authenticator (iOS, Android)
2. Go to Special:OATH and follow the instructions.
3. The recommended authentication method with Google Authenticator is to scan a QR code. Your browser will display a box with a pattern, which you have to point the camera in your smartphone towards, as if you're taking a picture of it. (Your phone might ask you for permission to use the camera first).

   If you can't do this, Google Authenticator can supply you an account name and alphanumeric key, which gives you the same result.

4. Once you're set up, your phone will give you a verification code. Enter this into the box at the bottom of the OATH page browsed to in step 2).

That's it, you're all set up. Now read "Emergency tokens : IMPORTANT, read this".

When you now login, after entering your password you'll be asked for an authentication token. Open up the app you installed in step 1) and you should see a numeric key. Type the key in, and you should be logged back in. However, because the key is time-based, it may change while you're doing this, in which case you'll have to add the latest key instead.

Please note: Using a windows based client slightly decreases the effectiveness of a two-factor system - if someone has access to your PC and your password, they will still be able to log in

1. Download winauth^[1] (https://winauth.com/download/) onto your Windows PC.

2. Go to Special:OATH and follow the instructions

3. Enter the two-factor account name and key from the OATH screen into the program. It should show you where to put it.

4. Enter a verification code from winauth into the OATH screen to complete the enrollment.

That's it, you're all set up. Now read "Emergency tokens : IMPORTANT, read this".

When you set up 2FA, you'll be given a number of emergency tokens. You can use one of these if you can't use your smartphone (eg: if it gets broken, stolen or sold). You only get shown these tokens when you sign up and never again, so make a copy of them by selecting them from your browser and copy / pasting into Notepad. If you don't keep these tokens and also have a problem using your authentication device, you will be locked out of your account!

These can only be used one time ever each and it may take two of them to turn off 2FA.

• You still need to follow good security practices. Don't use your name, date of birth or anything obvious as a password that can be guessed in a simple dictionary attack, don't write your password down in a place anyone else can see it, and consider whether or not it's a good idea to log into public terminals including schools, libraries and airports.

If using 2FA becomes too onerous or difficult (eg: you aren't always near your phone or keycode application), you can browse to Special:OATH again and you'll be given the option to disable it. You'll need to enter a code, just as you would when logging in, and if this is correct, 2FA will be turned off.

• AWB users will not be able to log in after enabling 2FA - please see this guide for a temporary workaround

• Metawiki help page - this is quite technical.
• Technical village pump
• Emailing info-enwikimedia.org - your ticket will be dealt with by one of the OTRS technical agents
• Joining #wikipedia-en ^connect and/or #wikipedia-tech ^connect
• Contacting editors willing to assist with 2FA