As of December 2025, 2FA is available to all registered users on Wikimedia projects. See

the help page

.

Compared to other internet platforms, an exceptionally high number of Wikimedia users are able to take security- or privacy-sensitive actions. While these are generally trusted and competent members of the community, anyone can be phished or have their passwords stolen. If an account with such rights is taken over, it could be misused to hurt other users.

This is why the Wikimedia Foundation is shifting to a more secure system by requiring two-factor authentication (2FA) to log into accounts with sensitive permissions.

We have built a range of new features to make this easier: most importantly, users can now set up as many two-factor methods as they want, including passkeys. Once a user registers a passkey, they can then log in without using a password at all. For some users, passkeys will make logging in a quicker experience than it was for them before enabling two-factor authentication!

When determining what user groups to include, the Wikimedia Foundation Product Safety and Integrity team considered any that had the ability to:

  • View private or confidential information (e.g., IP addresses, oversighted content)
  • Edit JS/CSS for other users (or for everyone)
  • Escalate permissions / promote users (add people to groups, including themselves)
  • And groups that implied an official role.

Users who hold sensitive permissions but don't have 2FA enabled will be contacted directly before the enforcement date with instructions on how to enable 2FA. They should visit the special page and configure an authenticator app or a security key. After that, we encourage them to also add a passkey, which greatly simplifies login and reauthentication (see the guide).

Enforcement begins with a 2-week-long grace period. During this time, it is impossible to grant sensitive permissions to users who do not have 2FA enabled. In addition, the software does not allow users with sensitive permissions to disable 2FA. If a user wishes to temporarily disable 2FA during this time, they need to request removal of the sensitive permissions first, or self-remove, if they are able. They should coordinate with Stewards on the process of disabling and enabling 2FA again.

After this period, users who don't have 2FA enabled will automatically have their sensitive permissions removed. These users may re-apply for permissions through ordinary community processes.

In April 2025, as the Wikimedia Foundation in collaboration with the community functionaries, we investigated a bulk compromise of ~36,000 user accounts. A critical part of responding appropriately to any security incident is to make systemic improvements that can reduce the likelihood and impact of that kind of incident in the future.

One of the steps we took as part of that work was to begin technically enforcing mandatory two-factor authentication for wiki interface administrators. We also expanded the technical enforcement of 2FA to oversighters and checkusers, given the privileged access they have to non-public information about editors.

In March of 2026, the Wikimedia Foundation made two-factor authentication technically mandatory for users for whom it was already required by policy. However, there are many other sensitive permissions that do not have this security protection in place. To help keep our projects and users safe, we have decided to expand our technical enforcement of 2FA to all user groups that take these actions.

This notice is posted to provide some advance warning before the change is made, and as an opportunity to collect comments from the community members. We welcome input on how we can best implement 2FA enforcement actions like this, now and in the future, and what technical improvements to 2FA and related features we should pursue, to make this a smoother experience for everyone.

Please post your comments on the talk page, or if you have private feedback you can email security-help(_AT_)wikimedia.org. We're especially interested in:

  • What issues have you had, or seen others have, with two-factor authentication on Wikimedia projects? Please call out any software bugs, safety concerns, lack of documentation, difficulty with device compatibility, or anything else.
  • Are there technical security requirements other than 2FA that we should be considering as potential requirements for maintaining privileged access on the wikis?
  • What other user groups or privileges should we be focused on as we look at strengthening our security policies?
  • What do we most need to be careful about as we go about this work?
  • Any other comments or questions you have.
  • Who is running this consultation?
  • What happens if I lose my 2FA device?
  1. Technically, there are both global and local steward groups, and the latter are only available to the members of the former. 2FA will be enforced on the local level first. Because of this, there will be no practical consequences of the global enforcement (set to happen later), as all stewards will have 2FA enforced by then.