How to use OATHAuth in Mediawiki

Configure OATHAuth

The version of Mediawiki I'm using has OATHAuth preinstalled. To configure your Mediawiki instance to allow users to enable two-factor authentication simply add

wfLoadExtension( 'OATHAuth' );

to the end of the LocalSettings.php file located in the root of the MediwWiki directory. Then restart your HTTP server. In my case I simply run

sudo systemctl restart httpd

Install oathtool

There are a number of OATH clients on the market, but I decided to just install the oathtool command line tool on my Fedora based laptop, by running

sudo dnf install oathtool.x86_64

Apple has the same functionality built into the Passwords app, but as I only login from my Fedora based laptop, it's easier to run a command and copy the output to my clipboard. You do you.

I'm using the Vector 2020 skin, so if your screen looks different, you're likely using a different skin.

Enable 2FA

I created an account called Test2fa to illustrate how to enable Two-Factor Aythentication. After you login with username & password, open your Preferences dialog.

In the User Profile tab of the Preferences dialog, hit the Manage button in the Two-Factor Authentication section.

Next, enable the Time-based One Time Password by hitting the Enable button.

It makes you login again because reasons.

You will be presented with a page of information. This information will never change. The secret key will be used by the oauthtool to generate the 6 digit TOTP. Save it all, including the recovery codes, in case you screw things up.

This is just a temporary account I've since deleted. Keep all your information secret.

Open a terminal window, and run the oauth tool as follows.

oathtool --base32 --totp "LEQ3 7TOA CM6G 27PZ"

This will generate the six digit code that you will use during your new login process.