User blog:DToast/Coming Soon: Two-Factor Authentication for Fandom Accounts

Here at Fandom, account security is a continued priority for us. Websites on the internet have many different tools and methods to protect your account. Fandom adopts these methods whenever we can, including by keeping the platform up to date - like through next year’s MediaWiki upgrade, which we announced in a staff blog yesterday.

Earlier this year we refactored our Authentication system to use the most modern security features. Some measures we’ve already implemented are state-of-the-art hashing, new cryptography, fewer points of insecurity to the login flow, updated login options, and more.

This previous groundwork is allowing us to work on an important and long-requested update that we wanted to let you know about ahead of releasing it toward the end of this year: providing two-factor authentication (2FA) for user accounts. 2FA was specifically requested by users in the previous blog and a handful of community meetings. 2FA is a simple way for all of us to keep our accounts secure so we encourage everyone to protect yourself with two-factor authentication!

Technical Background
2FA is better than single factor-authentication because it immediately neutralizes the risks associated with compromised passwords. If a password is hacked, guessed, or even phished, that's no longer enough to give an intruder access: without approval at the second factor, a password alone is useless.

So how does that work? If you decide to enable 2FA for your account - which is completely optional, though recommended - 2FA uses an app on your phone to generate a One Time Passcode (OTP) which you will be prompted to enter every time you log in. This code changes every 30 seconds and is different for each account. The result: if someone gets your password, they still can’t log in without also having your phone, which contains the OTP.

There are numerous free authentication apps on both iOS and Android app stores. A few of the most popular are Authy, Google Authenticator, and LastPass Authenticator. Any can be used and Fandom doesn’t endorse a specific app to use. Each authenticator app will have the ability to scan our provided QR code using your authenticator app or entering our authenticator app secret. Set up only takes a few minutes and your account will immediately be more secure.

While a connected account (signing in with Facebook, Google, Twitch, or Apple) does provide a layer of security by using those individual passwords. 2FA provides an additional layer of security in case the connected account is compromised by a malicious actor.

How You Will Be Able To Add 2FA To Your Account

 * 2FA hasn’t been released on Fandom just yet, but once it is then you’ll be able to follow these steps to enable it:
 * Download an authenticator app
 * Launch the app
 * Visit the Fandom 2FA screen and scan the provided QR code or enter the authentication key
 * Enter and submit your code for verification
 * You’re set up! The next time you sign in you’ll be prompted to enter your code which you can retrieve by launching the authenticator app.

How to use backup codes
After you finish setting up 2FA you may want to get a list of backup codes which should be stored in a safe accessible place and are for use in case you’re away from your phone. To do this go back to the Fandom 2FA screen, select ‘generate new backup recovery codes’, save them somewhere, and ‘confirm generated codes’. Now you’re able to log in using backup recovery codes if necessary.

Close
We’re currently aiming to release the option for 2FA later this year, and we’ll follow up later on with a specific date once we’re confident we know what day we’ll release it. But this is a big and what we suspect will be a much awaited change for our more security-conscious users. After all, 2FA is an important part of account security and easy to set up. We hope by delivering on this much-requested user feature shows our continued commitment to providing our users the safest and most secure account experience possible.

Here at Fandom we have an entire engineering team focusing on security and authentication. Our systems will only get better and better. We continue to look for more options to increase your account security and expand your account access methods. Be on the lookout for more information and dates about the upcoming 2FA release. In the meantime, we’re happy to answer any questions in the comments!

es:Usuario Blog:SacredOwl/Próximamente: Autenticación de dos factores para las cuentas de Fandom pl:Blog użytkownika:Rail/Już wkrótce: Uwierzytelnianie dwuskładnikowe na Fandomie uk:Блог користувача:DDPAT Knife Series/Незабаром: двофакторна автентифікація для облікових записів Фандому