راهنما:اعتبارسنجی دومرحلهای
اجرای احراز هویت دو عاملی (2FA) توسط ویکیمدیا راهی برای تقویت امنیت حساب شما است. اگر احراز هویت دو عاملی را فعال کنید، هر بار علاوه بر رمز عبور، از شما یک کد احراز هویت شش رقمی یک بارمصرف درخواست میشود. این کد توسط یک برنامه در تلفن هوشمند یا دستگاه احراز هویت دیگر شما ارائه میشود. برای ورود به سیستم، باید رمز عبور خود را بدانید و دستگاه احراز هویت خود را برای تولید کد در دسترس داشته باشید.
حسابهای کاربری تحت تاثیر
احراز هویت دو عاملی در ویکیمدیا در حال حاضر آزمایشی و اختیاری است (به استثنای برخی موارد). ثبت نام به دسترسی به (oathauth-enable)
نیاز دارد، که در حال حاضر در حال آزمایش با مدیران (و کاربران با مجوزهای مدیر مانند ویرایشگران رابط کاربری)، دیوانسالاران، بازرسان کاربر، پنهانگران، ویکیبدان، مدیران پالایه ویرایش و گروه سراسری آزمایشکنندگان احراز هویت دو عاملی است.
گروههای کاربری که استفاده از احراز هویت دوعاملی برای آنها اجباری است
فعالسازی اعتبارسنجی دومرحلهای
- دسترسی فعال $oathauth داشته باشید (به طور پیش فرض، برای مدیران، دیوانسالاران، پنهانگران، بازرسان کاربر و سایر گروه های کاربری با دسترسیهای خاص فعال است).
- Have or install a Time-based One-time Password Algorithm (TOTP) client. For most users, this will be a phone or tablet application. Commonly recommended apps include:
- Open-source: Aegis (Android), FreeOTP (Android, iOS), andOTP (Android), Authenticator (iOS), Authenticator.cc (Chrome, Firefox & Edge), Passman (NextCloud), KeePassXC (Linux, macOS, Windows)
- Closed-source: Authy (Android, iOS), Google Authenticator (Android iOS)
- General comparison of many common OTP applications which could be used as TOTP client for 2FA (English Wikipedia)
- You can also use a desktop client such as the OATH Toolkit (Linux, macOS via Homebrew), or WinAuth (Windows). Keep in mind that if you log in from the computer used to generate TOTP codes, this approach does not protect your account if an attacker gains access to your computer.
- Password managers such as 1Password, Bitwarden, and KeePass also tend to support/have plugins to support TOTP. This bears the same limitations as the above, but may be worth looking into if you already use one for other things.
- Go to Special:OATH on the project you hold one of the above rights on (this link is also available from your preferences). (For most users, this will not be here on the meta-wiki.)
- Special:OATH presents you with a QR code containing the Two-factor account name and Two-factor secret key. This is needed to pair your client with the server.
- Scan the QR code with, or enter the two-factor account name and key into, your TOTP client.
- Enter the authentication code from your TOTP client into the OATH screen to complete the enrollment.
WARNING: You will also be presented with a series of 10 one-time recovery codes. You should print and safely store a copy of this page. If you lose or have a problem with your TOTP client, you will be locked out of your account unless you have access to these codes. |
ورود
- Provide your username and password, and submit as before.
- Enter in a one-time six digit authentication code as provided by the TOTP client. Note: This code changes about every thirty seconds. If your code keeps getting rejected, check that the time on your device where your auth app is installed is correct.
من را واردشده نگهدار.
If you choose this option when logging in, you normally will not need to enter an authentication code when using the same browser. Actions such as logging out or clearing browser cookies will require a code on your next login.
Some security sensitive actions, such as changing your email address or password, may require you to re-authenticate with a code even if you chose the keep-me-logged-in option.
دسترسی وبسرویس
Two-factor authentication is not utilized when using OAuth or bot passwords to log in via the API.
You may use OAuth or bot passwords to restrict API sessions to specific actions, while still using two-factor authentication to protect your full access. Please note, OAuth and bot passwords can not be used to log on interactively to the website, only to the API.
For example, tools like AutoWikiBrowser (AWB) do not yet support two-factor authentication, but can use bot passwords. You may find further information on how to configure this.
غیرفعالسازی اعتبارسنجی دومرحلهای
If you already have 2FA enabled, removing the permission that allows you to enroll in 2FA WILL NOT disable 2FA. You need to follow the process below to disable it. |
- Go to Special:OATH or preferences. If you are no longer in groups that are permitted to enroll, you can still disable via Special:OATH.
- On the disable two-factor authentication page, use your authentication device to generate a code to complete the process.
کدهای موقت
When enrolling in two-factor authentication, you will be provided with a list of ten one-time recovery codes. Please print those codes and store them in a safe place, as you may need to use them in case you lose access to your 2FA device. It is important to note that each of these codes is single use; it may only ever be used once and then expires. After using one, you can scratch it through with a pen or otherwise mark that the code has been used. To generate a new set of codes, you will need to disable and re-enable two-factor authentication.
غیرفعالسازی اعتبارسنجی دومرحلهای بدون وسیله اعتبارسنج
This may require two recovery codes: one to log in, and another to disable. Should you ever need to use any of your recovery codes, it is advisable to disable and re-enable to generate a fresh set of codes as soon as possible.
بازیابی از دستگاه اعتبارسنج گمشده یا خرابشده
If you have an existing 2FA device which has simply stopped generating the correct codes, check that its clock is reasonably accurate. Time-based OTP on our wikis has been known to fail with 2 minutes difference.
You will need access to the recovery codes that you were provided when enrolling in order to un-enroll from two-factor authentication. It will require you to use up to two recovery codes to accomplish this:
- You need to be logged in. If you are not already logged in, this will require use of a recovery code.
- Visit Special:OATH and use a different recovery code to disable two-factor authentication.
If you don't have enough recovery codes, you may contact Trust and Safety at ca wikimedia.org to request removal of 2FA from your account (please send an email using your registered email address of your wiki account). You should also create a task on Phabricator if you still have access to it. Please note, 2FA removal by staff is not always granted.
See wikitech:Password and 2FA reset#For users for instructions on requesting 2FA removal for your Developer account.
Web Authentication Method
Please note, most of the directions on this page are specific to the TOTP method. The WebAuthn method is more experimental and currently has no recovery options (cf. related developer task).
WebAuthn has a known issue that you must make future logons on the same project that you initiate it from (tracking task).
جستارهای وابسته
- The concept of multi-factor authentication in the English Wikipedia and a Wikidata item about it
- Known bugs and requested improvements of Wikimedia's two-factor authentication are collaborated on and tracked in Phabricator
- OATHAuth is the MediaWiki extension used for this functionality
- Wikimedia Security Team/Two-factor Authentication for CentralAuth wikis
- Help:Two-factor authentication in the MediaWiki.org