Skip to Content
Last modified by Agnease on 2026/06/24 16:39
From version 16.1
edited by Agnease
on 2026/06/24 14:52
Change comment: Upload new image "mfa-admin-overview.png", version 1.1
To version 25.4
edited by Agnease
on 2026/06/24 16:14
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,6 +1,5 @@
1 1  {{velocity}}
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 -#set ($discard = $xwiki.ssx.use('products.WebHome'))
4 4  
5 5  #set ($mainCapabilityItems = [{
6 6   'title': 'Second verification step',
... ... @@ -11,40 +11,40 @@
11 11   'icon': 'mobile',
12 12   'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
13 13  },{
14 - 'title': 'Email verification codes',
15 - 'icon': 'envelope-o',
16 - 'content': 'Send one-time verification codes by email when this method is enabled or combined with app codes.'
13 + 'title': 'Recovery and trusted devices',
14 + 'icon': 'shield',
15 + 'content': 'Provide backup access with recovery codes and reduce repeated prompts on trusted browsers.'
17 17  }])
18 18  
19 19  #set ($adminExperienceItems = [{
20 - 'title': 'MFA policy',
19 + 'title': 'Rollout policy',
21 21   'icon': 'cog',
22 - 'content': 'Make MFA optional or required for all users from the XWiki Administration section.'
21 + 'content': 'Make additional verification optional at first or required for all users from the XWiki Administration section.'
23 23  },{
24 - 'title': 'Recovery and trusted devices',
25 - 'icon': 'shield',
26 - 'content': 'Configure recovery-code count and trusted-device duration according to the organization security policy.'
23 + 'title': 'Configuration options',
24 + 'icon': 'sliders',
25 + 'content': 'Set the authenticator issuer name, recovery-code count and trusted-device duration.'
27 27  },{
28 28   'title': 'Administration overview',
29 29   'icon': 'table',
30 - 'content': 'Review MFA adoption across users with summary indicators and a filterable Live Data table.'
29 + 'content': 'Review adoption with summary indicators and a filterable Live Data table.'
31 31  }])
32 32  
33 33  #set ($userExperienceItems = [{
34 34   'title': 'Self-service setup',
35 35   'icon': 'qrcode',
36 - 'content': 'Users configure MFA from their profile by scanning a QR code or entering the setup key manually.'
35 + 'content': 'Users configure the second verification step from their profile by scanning a QR code or entering the setup key manually.'
37 37  },{
38 - 'title': 'Familiar login flow',
37 + 'title': 'Login verification',
39 39   'icon': 'sign-in',
40 - 'content': 'After the normal login, users enter the configured verification code before accessing XWiki.'
39 + 'content': 'After the normal login, users enter the verification code generated by their authenticator app.'
41 41  },{
42 - 'title': 'Profile management',
43 - 'icon': 'user',
44 - 'content': 'Users can review MFA status, manage recovery codes and remove trusted devices from their profile.'
41 + 'title': 'Trusted browser option',
42 + 'icon': 'desktop',
43 + 'content': 'Users can trust the current browser for the configured duration after successful verification.'
45 45  }])
46 46  
47 -#set ($recoveryItems = [{
46 +#set ($selfServiceItems = [{
48 48   'title': 'Recovery codes',
49 49   'icon': 'life-ring',
50 50   'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
... ... @@ -51,11 +51,25 @@
51 51  },{
52 52   'title': 'Trusted devices',
53 53   'icon': 'desktop',
54 - 'content': 'Trusted browsers or devices can skip repeated MFA prompts for a configured period.'
53 + 'content': 'Trusted devices can be reviewed and removed from the user profile.'
55 55  },{
56 - 'title': 'Administrator reset',
55 + 'title': 'Profile management',
56 + 'icon': 'user',
57 + 'content': 'Users can review status, generate recovery codes, manage trusted devices and reset their setup.'
58 +}])
59 +
60 +#set ($adminSupportItems = [{
61 + 'title': 'User status',
62 + 'icon': 'user',
63 + 'content': 'Administrators can open a user profile and check the verification status for that account.'
64 +},{
65 + 'title': 'Setup reset',
57 57   'icon': 'refresh',
58 - 'content': 'Administrators can reset a user MFA setup when the user needs to restart the configuration process.'
67 + 'content': 'Administrators can reset the setup when a user needs to restart the configuration process.'
68 +},{
69 + 'title': 'Controlled recovery',
70 + 'icon': 'unlock-alt',
71 + 'content': 'Resetting the setup removes the authenticator configuration, recovery codes and trusted devices for that user.'
59 59  }])
60 60  
61 61  #set ($rolloutItems = [{
... ... @@ -62,17 +62,17 @@
62 62   'title': 'Start with a pilot group',
63 63   'content': 'Test the extension with administrators or a small user group before enabling it widely.'
64 64  },{
65 - 'title': 'Define the MFA policy',
66 - 'content': 'Decide whether MFA should be optional, required for administrators, or required for all users.'
78 + 'title': 'Define the rollout policy',
79 + 'content': 'Decide whether additional verification should be optional at first or required for all users.'
67 67  },{
68 68   'title': 'Configure recovery options',
69 - 'content': 'Choose whether recovery codes and trusted devices should be enabled.'
82 + 'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
70 70  },{
71 71   'title': 'Inform users',
72 - 'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
85 + 'content': 'Explain how users configure the authenticator app, save recovery codes and manage trusted devices.'
73 73  },{
74 74   'title': 'Monitor adoption',
75 - 'content': 'Use the administration overview to identify users who still need to configure MFA.'
88 + 'content': 'Use the administration overview to identify users who still need to configure protection.'
76 76  }])
77 77  
78 78  {{html clean="false"}}
... ... @@ -81,14 +81,14 @@
81 81   <div class="container hero-inner">
82 82   <div class="hero-kicker">
83 83   <i class="fa fa-lock" aria-hidden="true"></i>
84 - XWiki 2FA and MFA
97 + XWiki 2FA with MFA rollout support
85 85   </div>
86 86  
87 87   <h1 id="product-title">XWiki Two-Factor Authentication</h1>
88 88  
89 89   <p class="lead">
90 - Protect XWiki logins with a second verification step using authenticator app codes,
91 - email verification codes, or both.
103 + Protect XWiki logins with authenticator app verification, recovery codes,
104 + trusted devices and administration controls for a safer rollout.
92 92   </p>
93 93  
94 94   <div class="hero-actions">
... ... @@ -105,15 +105,15 @@
105 105   <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
106 106  
107 107   <p>
108 - XWiki Two-Factor Authentication adds MFA/2FA support to the standard XWiki login flow.
109 - Users continue to sign in with their normal username and password, then confirm access with
110 - an additional verification method.
121 + XWiki Two-Factor Authentication adds an additional verification step to the standard
122 + XWiki login flow. Users continue to sign in with their normal username and password,
123 + then confirm access with a time-based code from an authenticator application.
111 111   </p>
112 112  
113 113   <p>
114 - The extension supports authenticator app codes, email-delivered verification codes, or a combined
115 - setup where both methods are required. It improves account protection without replacing the familiar
116 - XWiki authentication experience.
127 + The application has evolved beyond a simple login-code screen. It supports global
128 + enforcement, recovery codes, trusted devices, user self-service, administrator
129 + reset actions and an overview for monitoring adoption.
117 117   </p>
118 118   </article>
119 119  
... ... @@ -122,11 +122,11 @@
122 122   <ul>
123 123   <li>Works with the standard XWiki login flow</li>
124 124   <li>Supports TOTP authenticator applications</li>
125 - <li>Supports email-delivered one-time codes</li>
126 - <li>Can require app and email verification together</li>
127 - <li>Includes recovery codes for backup access</li>
138 + <li>Can require additional verification for all users</li>
139 + <li>Includes one-time recovery codes</li>
128 128   <li>Can remember trusted browsers or devices</li>
129 - <li>Includes administration and user controls</li>
141 + <li>Includes user self-service controls</li>
142 + <li>Includes an administration overview</li>
130 130   </ul>
131 131   </aside>
132 132   </div>
... ... @@ -138,7 +138,8 @@
138 138   <h2 id="capabilities-title">Main capabilities</h2>
139 139  
140 140   <p class="section-intro">
141 - A focused set of MFA/2FA features for stronger XWiki account protection without changing the standard login experience.
154 + A focused set of authentication protection features for stronger XWiki account security
155 + without replacing the familiar login experience.
142 142   </p>
143 143  
144 144   <div class="product-feature-grid">
... ... @@ -165,13 +165,14 @@
165 165   <h2 id="security-title">Useful for XWiki security and access protection</h2>
166 166  
167 167   <p>
168 - Many organizations need multi-factor authentication for internal tools, knowledge bases,
169 - intranets, documentation platforms and systems containing operational or sensitive information.
182 + Many organizations use XWiki to store internal documentation, procedures, operational
183 + knowledge and business-critical information. Adding an additional authentication factor helps
184 + reduce the risk of account compromise when a password is exposed or reused.
170 170   </p>
171 171  
172 172   <p>
173 - For XWiki, adding two-factor authentication directly to the standard login flow helps protect
174 - administrator accounts, remote users, private knowledge bases and customer or partner portals.
188 + The extension is especially useful for protecting administrator accounts, remote users,
189 + private knowledge bases and customer or partner portals.
175 175   </p>
176 176   </article>
177 177  
... ... @@ -183,7 +183,7 @@
183 183   <li>Private documentation platforms</li>
184 184   <li>Remote user access protection</li>
185 185   <li>Customer or partner portals</li>
186 - <li>Security review and NIS 2 readiness initiatives</li>
201 + <li>Security review, MFA rollout and compliance readiness</li>
187 187   </ul>
188 188   </aside>
189 189   </div>
... ... @@ -192,10 +192,11 @@
192 192  
193 193  <section aria-labelledby="admin-experience-title">
194 194   <div class="container">
195 - <h2 id="admin-experience-title">Administrator experience</h2>
210 + <h2 id="admin-experience-title">Administrator configuration and monitoring</h2>
196 196  
197 197   <p class="section-intro">
198 - Administrators can configure the MFA policy, monitor adoption and reset user MFA setups when needed.
213 + Administrators can configure the policy, define recovery options and monitor adoption
214 + from the XWiki Administration section.
199 199   </p>
200 200  
201 201   <div class="product-feature-grid">
... ... @@ -218,12 +218,13 @@
218 218  {{gallery}}
219 219  [[image:mfa-admin-configuration.png]]
220 220  [[image:mfa-admin-overview.png]]
237 +[[image:mfa-admin-full.png]]
221 221  {{/gallery}}
222 222  
223 223  {{html clean="false"}}
224 224  
225 225   <p class="product-gallery-caption">
226 - Administration screens for configuring MFA and reviewing MFA adoption across users.
243 + Administration screens for configuring the policy and reviewing adoption across users.
227 227   </p>
228 228   </div>
229 229  </section>
... ... @@ -230,10 +230,11 @@
230 230  
231 231  <section class="product-section-muted" aria-labelledby="user-experience-title">
232 232   <div class="container">
233 - <h2 id="user-experience-title">User experience</h2>
250 + <h2 id="user-experience-title">User setup and login verification</h2>
234 234  
235 235   <p class="section-intro">
236 - Users can configure MFA from their profile and complete the second verification step during login.
253 + Users can configure the authenticator app from their profile or during the enforced setup flow,
254 + then verify future logins with a generated code.
237 237   </p>
238 238  
239 239   <div class="product-feature-grid">
... ... @@ -262,14 +262,14 @@
262 262  {{html clean="false"}}
263 263  
264 264   <p class="product-gallery-caption">
265 - User setup and login verification screens.
283 + User setup, enforced configuration and login verification screens.
266 266   </p>
267 267   </div>
268 268  </section>
269 269  
270 -<section aria-labelledby="recovery-title">
288 +<section aria-labelledby="self-service-title">
271 271   <div class="container">
272 - <h2 id="recovery-title">Recovery codes and trusted devices</h2>
290 + <h2 id="self-service-title">Recovery codes and trusted devices</h2>
273 273  
274 274   <p class="section-intro">
275 275   Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
... ... @@ -276,7 +276,7 @@
276 276   </p>
277 277  
278 278   <div class="product-feature-grid">
279 - #foreach ($entry in $recoveryItems)
297 + #foreach ($entry in $selfServiceItems)
280 280   <article class="product-feature">
281 281   <div class="card-heading">
282 282   <div class="feature-icon">
... ... @@ -293,9 +293,47 @@
293 293  {{/html}}
294 294  
295 295  {{gallery}}
296 -[[image:mfa-recovery-codes.png]]
297 -[[image:mfa-trusted-devices.png]]
298 298  [[image:mfa-user-profile-overview.png]]
315 +[[image:mfa-recovery-codes-not-generated.png]]
316 +[[image:mfa-recovery-codes-generated.png]]
317 +[[image:mfa-trusted-devices.png]]
318 +[[image:mfa-user-profile-full.png]]
319 +{{/gallery}}
320 +
321 +{{html clean="false"}}
322 +
323 + <p class="product-gallery-caption">
324 + User profile screens for recovery codes, trusted devices and self-service management.
325 + </p>
326 + </div>
327 +</section>
328 +
329 +<section class="product-section-muted" aria-labelledby="admin-support-title">
330 + <div class="container">
331 + <h2 id="admin-support-title">Administrator support and user recovery</h2>
332 +
333 + <p class="section-intro">
334 + Administrators can help users recover from lost devices or restart setup when needed.
335 + </p>
336 +
337 + <div class="product-feature-grid">
338 + #foreach ($entry in $adminSupportItems)
339 + <article class="product-feature">
340 + <div class="card-heading">
341 + <div class="feature-icon">
342 + <i class="fa fa-$entry.icon" aria-hidden="true"></i>
343 + </div>
344 + <h3>$entry.title</h3>
345 + </div>
346 +
347 + <p>$entry.content</p>
348 + </article>
349 + #end
350 + </div>
351 +
352 +{{/html}}
353 +
354 +{{gallery}}
299 299  [[image:mfa-admin-user-management.png]]
300 300  {{/gallery}}
301 301  
... ... @@ -302,11 +302,81 @@
302 302  {{html clean="false"}}
303 303  
304 304   <p class="product-gallery-caption">
305 - Recovery codes, trusted devices and user profile management.
361 + Administrator view for checking and resetting a user setup.
306 306   </p>
307 307   </div>
308 308  </section>
309 309  
366 +<section aria-labelledby="faq-title">
367 + <div class="container">
368 + <h2 id="faq-title">Frequently asked questions</h2>
369 +
370 + <p class="section-intro">
371 + Common questions about how the extension works, how users configure it and how administrators can manage rollout and recovery.
372 + </p>
373 +
374 + <div class="resource-content">
375 + <details class="resource-faq-item">
376 + <summary>Does this extension replace the standard XWiki login?</summary>
377 + <p>
378 + No. Users still sign in with their normal XWiki username and password. The extension adds
379 + an additional verification step after the standard login check.
380 + </p>
381 + </details>
382 +
383 + <details class="resource-faq-item">
384 + <summary>Which verification method is used?</summary>
385 + <p>
386 + Users verify access with time-based codes generated by an authenticator application.
387 + The setup page provides a QR code and a manual setup key.
388 + </p>
389 + </details>
390 +
391 + <details class="resource-faq-item">
392 + <summary>Can the second verification step be required for all users?</summary>
393 + <p>
394 + Yes. Administrators can make the verification step optional or required for all users
395 + from the XWiki Administration section.
396 + </p>
397 + </details>
398 +
399 + <details class="resource-faq-item">
400 + <summary>What happens if a user loses access to the authenticator app?</summary>
401 + <p>
402 + Recovery codes can provide backup access when enabled. Administrators can also reset
403 + the user setup so the configuration process can be restarted.
404 + </p>
405 + </details>
406 +
407 + <details class="resource-faq-item">
408 + <summary>Can trusted browsers or devices be disabled?</summary>
409 + <p>
410 + Yes. Administrators can configure how long trusted devices remain valid. Setting the
411 + trusted-device duration to 0 disables this option.
412 + </p>
413 + </details>
414 +
415 + <details class="resource-faq-item">
416 + <summary>Is this only a basic 2FA login-code screen?</summary>
417 + <p>
418 + No. The main login mechanism is two-factor authentication, but the application also includes
419 + features needed for a safer organization-wide rollout: enforcement policy, recovery codes,
420 + trusted devices, user self-service, administrator monitoring and administrator reset actions.
421 + </p>
422 + </details>
423 +
424 + <details class="resource-faq-item">
425 + <summary>Is this enough for compliance on its own?</summary>
426 + <p>
427 + No. This extension provides an important access-protection control, but it should be part
428 + of a broader security and compliance approach that includes permissions, upgrades,
429 + infrastructure, monitoring and operational procedures.
430 + </p>
431 + </details>
432 + </div>
433 + </div>
434 +</section>
435 +
310 310  <section class="product-section-muted" aria-labelledby="rollout-title">
311 311   <div class="container">
312 312   <div class="product-layout">
... ... @@ -314,8 +314,9 @@
314 314   <h2 id="rollout-title">Rollout recommendations</h2>
315 315  
316 316   <p>
317 - For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
318 - This helps validate the configuration, prepare user communication and reduce support issues.
443 + For a smooth rollout, start with a small administrator or pilot group before requiring
444 + the additional verification step for everyone. This helps validate the configuration,
445 + prepare user communication and reduce support issues.
319 319   </p>
320 320  
321 321   <ol class="process-list">
... ... @@ -339,7 +339,7 @@
339 339   <li>XWiki version</li>
340 340   <li>Single wiki or wiki farm with subwikis</li>
341 341   <li>Current authentication setup</li>
342 - <li>Optional or globally required MFA policy</li>
469 + <li>Optional or required rollout policy</li>
343 343   <li>Trusted-device policy</li>
344 344   <li>Recovery-code policy</li>
345 345   <li>Rollout communication needs</li>
... ... @@ -355,7 +355,7 @@
355 355   <h2 id="cta-title">Interested in using this extension?</h2>
356 356  
357 357   <p>
358 - Send a short message with your XWiki version, current authentication setup and MFA rollout goal.
485 + Send a short message with your XWiki version, current authentication setup and rollout goal.
359 359   </p>
360 360  
361 361   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
mfa-admin-full.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +184.3 KB
Content
mfa-admin-user-management.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +26.9 KB
Content
mfa-recovery-codes-generated.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +38.5 KB
Content
mfa-recovery-codes-not-generated.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +27.0 KB
Content
mfa-trusted-devices.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +59.1 KB
Content
mfa-user-profile-full.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +197.5 KB
Content