Two-factor authentication (2FA) is a way of adding additional security on your account. The first "factor" is your usual password that is standard for any account. The second "factor" is a code retrieved from an app on a smartphone or computer. 2FA is conceptually similar to a security token device that banks in some countries require for online banking. Other names for 2FA systems include OTP (one-time password) and TOTP (Time-based One-time Password algorithm).

This guide explains how to enable and disable 2FA on Wikipedia for your account.

It is extremely important for administrators and editors with advanced permissions to keep their account secure. In November 2016, a number of Wikipedia administrators (including the co-founder, Jimbo Wales) had their accounts compromised, which were then used to vandalise the encyclopedia. As well as causing widespread disruption, the affected administrators' accounts were locked until it was beyond doubt they had regained control.

Any editor can improve their account security by using 2FA. This practice is recommended for editors with advanced permissions, highly recommended for administrators, and required for interface administrators.

On the English Wikipedia, the following groups automatically have access to 2FA:

• Administrators
• Bureaucrats
• CheckUsers
• Edit filter managers
• Interface administrators
• Oversighters

If you are not in one of these groups, you need to submit a request at m:Steward_requests/Global_permissions#Requests for other global permissions to be granted access to 2FA. Most users need to request access before they can use 2FA.

Users with advanced rights on other projects, including test wikis hosted by Wikimedia, can also enable 2FA from those projects.

If you have a smartphone, a 2FA smartphone app is the most secure way to use 2FA. If you don't have a smartphone, see "Enabling 2FA on desktop computers".

1. Download a 2FA app onto your smartphone. Recommended options include:
   • FreeOTP (Android, iOS): free and open-source
     • Android: Download from Google Play or F-Droid
     • iOS: Download from the App Store
   • AndOTP (Android): free and open-source
     • Android: Download from Google Play or F-Droid
   • Authenticator (iOS): free and open-source
     • iOS: Download from the App Store
   • Google Authenticator (Android, iOS): freeware
     • Android: Download from Google Play
     • iOS: Download from the App Store
2. Go to Special:Two-factor authentication and follow the instructions.
3. The recommended authentication method is to scan a QR code in the app. Your browser will display a box with a pattern, which you have to point the camera in your smartphone towards, as if you're taking a picture of it. (Your phone might ask you for permission to use the camera first.)

   If you can't scan the code, you can enter a secret key from the screen into the app, which gives you the same result.

4. Once you're set up, your phone will give you a verification code. Enter this into the box at the bottom of the Two-factor authentication page browsed to in step 2).
5. That's it, you're all set up. Now, read "Emergency tokens".

You can use apps like WinAuth and KeePassXC to handle 2FA tokens on a desktop computer. This is the recommended way to use 2FA if you don't have a smartphone.

If you normally edit with your desktop computer, using a desktop 2FA app is slightly less secure than using smartphone 2FA app, as someone with access to both your computer and your password would still be able to log in to your account.

WinAuth (Windows)

WinAuth is the recommended app for Windows users.

1. Download WinAuth onto your Windows PC.
2. Go to Special:Two-factor authentication and follow the instructions
3. Enter the two-factor account name and key from the Two-factor authentication screen into the program. It will show you where to put it.
4. Enter a verification code from WinAuth into the Two-factor authentication screen to complete the enrollment.
5. That's it, you're all set up. Now, read "Emergency tokens".

KeeWeb (Windows, macOS, Linux, online)

KeeWeb is a free and open-source password manager that also handles 2FA. The app can be downloaded to your computer or used online without installation. KeeWeb refers to 2FA as one-time passwords (OTP).

1. Download KeeWeb onto your computer, or open KeeWeb's online web app.
2. Go to Special:Two-factor authentication and follow the instructions.
3. In KeeWeb, click "New" (the plus icon).
4. Add a new entry: Click the plus icon ("Add New") at the top. Then, click "Entry".
5. Give the entry a title (e.g. "Wikipedia").
6. In the right-side pane, click "more...". Then, click "One-time passwords" and click "Enter code manually".
7. Enter the key from Wikipedia's Two-factor authentication page into the "otp" field in KeeWeb. Press Enter on your keyboard.
8. Click on "otp" to copy the 6-digit code. Paste the code into Wikipedia's Two-factor authentication page to complete the enrollment.
9. Back up your 2FA settings: Click on the gear icon ("Settings") at the bottom-right of the KeeWeb window. Optionally set a password, and then click "Save to...". Click "File" to save your 2FA settings onto your computer, or choose one of the other options to sync with Dropbox, Google Drive, OneDrive, or WebDAV.
10. That's it, you're all set up. Now, read "Emergency tokens".

When you set up 2FA, you'll be given a number of emergency tokens. You can use one of these if you can't use your smartphone (e.g. if it gets broken, stolen or sold). You only get shown these tokens when you sign up and never again, so make a copy of them by selecting/pasting them from your browser and storing them offline (paper printout or memory stick) in a safe place. If you don't keep these tokens and also have a problem using your authentication device, you will be locked out of your account!

• Each token can only be used one time - ever - and it takes two of them to turn off 2FA (the first to log on without 2FA, and the second to shut off 2FA after logging in).
• Don't store these on your smartphone - if it gets lost you won't be able to use your phone, and you just lost the codes!
• You still need to follow good security practices. Don't use your name, date of birth or anything obvious as a password that can be guessed in a simple dictionary attack, don't write your password down in a place anyone else can see it, and consider whether or not it's a good idea to log into public terminals including schools, libraries and airports.

If you are totally locked out, regaining access to your account will be very difficult and usually involve proving your identity beyond the shadow of a doubt to one of the developers via the Phabricator system who may or may not decide to manually disable 2FA in the database directly. If you cannot satisfy these requirements or the developers deny your request, it is impossible to turn 2FA off and you effectively have to create a new account.

When you now log in, after entering your password you'll be asked for an authentication token.

1. Open your 2FA app and you should see a 6-digit key.
2. Type the key in as is (with no spaces), and you should be logged back in

   Because the key is time-based, it may change while you're doing this, in which case you'll have to add the latest key instead. The application will normally indicate when a key is about to expire (e.g. in Google Authenticator, the key's colour changes from blue to red).

If using 2FA becomes too onerous or difficult (e.g. you aren't always near your phone or 2FA app), you can browse to Special:Two-factor authentication again and you'll be given the option to disable it. You'll need to enter a code, just as you would when logging in, and if this is correct, 2FA will be turned off.

• AutoWikiBrowser and Huggle users need to create a bot password after enabling 2FA. Please see Wikipedia:Using AWB with 2FA and mw:Manual:Huggle/Bot passwords for instructions.
• Clock drift: If your 2FA device's clock becomes too inaccurate (more than 30 seconds off), it will generate the wrong codes and you will not be able to log in. To prevent this, the 2FA device's clock should be kept reasonably accurate. Most smartphones and computers keep the clock in sync when they are connected to the Internet.

• If you find something on this page to be incomplete or unclear, please raise the issue on the talk page and someone will fix it.
• Contact an editor willing to assist with two-factor authentication.
• Email info-enwikimedia.org - your ticket will be dealt with by one of the OTRS technical agents.
• Discuss technical issues at the Technical village pump.
• Join #wikipedia-en ^connect and/or #wikipedia-tech ^connect.
• Metawiki help page - this is quite technical.