Jump to content

Tim Keamanan Wikimedia/Authentication Dua Faktor untuk CentralAuth wiki

From mediawiki.org
This page is a translated version of the page Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis and the translation is 17% complete.

Di zaman pelanggaran data besar-besaran, kampanye phishing yang sukses, dan lebih banyak kata sandi daripada yang dapat Anda ingat, otentikasi dua faktor memungkinkan Anda mengautentikasi diri Anda ke wiki dengan kata sandi yang Anda ketahui, dan dengan membuktikan bahwa Anda memiliki akses ke rahasia panjang dan acak yang biasanya disimpan di perangkat milik Anda.

Mengaktifkan autentikasi dua-faktor

To register for two-factor authentication, go to your Preferences after logging into any CentralAuth wiki, and click “Enable two-factor authentication” (or visit Special:OATH directly), and follow the instructions to enable two-factor authentication for your account. You can either scan the QR code, or manually enter the shared secret into your second-factor device. You can use FreeOTP (Android/iOS), Google Authenticator (Android/iOS), andOTP (Android), Authenticator (Chrome extension), Authenticator (Firefox extension), Authenticator (Edge extension), or the OATH Toolkit command line utility for Debian, openSUSE and other platforms.

Disable two-factor authentication

If you need to disable two-factor authentication (and are still in possession of your second-factor device), you can visit Special:OATH at any time, enter the current code, and two-factor will be removed from your account.

Scratch codes

FAQ

Will this be mandatory?
Two-factor authentication is required for interface administrators, stewards, and a few similarly privileged roles. It's possible that we will require two-factor authentication for other accounts with access to sensitive information in the future, but we do not have concrete plans to do so at this time.
What do I do if I lose my phone/token/secret?
A user with shell access can remove your account from the two-factor configuration, which will allow you to log in and re-enable two-factor authentication with a new device. The person doing this work will need to verify your identity, preferably by signing your request with a PGP signature that the user can verify, revealing a committed identity, or verifying the request through another non-email source (most users can reset their wiki password via email, so we want to ensure a malicious person with access to your email account cannot get your second authentication factor reset also).
What protocol is used for this two-factor authentication?
We implement the OATH protocol, a specific form of Time-based One-time Password (TOTP).

See also