Skip to Content
Last modified by Agnease on 2026/06/24 16:39
From version 20.1
edited by Agnease
on 2026/06/24 14:58
Change comment: Upload new image "mfa-user-profile-full.png", version 1.1
To version 26.1
edited by Agnease
on 2026/06/24 16:17
Change comment: Upload new image "mfa-admin-user-management.png", version 1.2

Summary

Details

Page properties
Content
... ... @@ -1,6 +1,5 @@
1 1  {{velocity}}
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 -#set ($discard = $xwiki.ssx.use('products.WebHome'))
4 4  
5 5  #set ($mainCapabilityItems = [{
6 6   'title': 'Second verification step',
... ... @@ -11,40 +11,40 @@
11 11   'icon': 'mobile',
12 12   'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
13 13  },{
14 - 'title': 'Email verification codes',
15 - 'icon': 'envelope-o',
16 - 'content': 'Send one-time verification codes by email when this method is enabled or combined with app codes.'
13 + 'title': 'Recovery and trusted devices',
14 + 'icon': 'shield',
15 + 'content': 'Provide backup access with recovery codes and reduce repeated prompts on trusted browsers.'
17 17  }])
18 18  
19 19  #set ($adminExperienceItems = [{
20 - 'title': 'MFA policy',
19 + 'title': 'Rollout policy',
21 21   'icon': 'cog',
22 - 'content': 'Make MFA optional or required for all users from the XWiki Administration section.'
21 + 'content': 'Make additional verification optional at first or required for all users from the XWiki Administration section.'
23 23  },{
24 - 'title': 'Recovery and trusted devices',
25 - 'icon': 'shield',
26 - 'content': 'Configure recovery-code count and trusted-device duration according to the organization security policy.'
23 + 'title': 'Configuration options',
24 + 'icon': 'sliders',
25 + 'content': 'Set the authenticator issuer name, recovery-code count and trusted-device duration.'
27 27  },{
28 28   'title': 'Administration overview',
29 29   'icon': 'table',
30 - 'content': 'Review MFA adoption across users with summary indicators and a filterable Live Data table.'
29 + 'content': 'Review adoption with summary indicators and a filterable Live Data table.'
31 31  }])
32 32  
33 33  #set ($userExperienceItems = [{
34 34   'title': 'Self-service setup',
35 35   'icon': 'qrcode',
36 - 'content': 'Users configure MFA from their profile by scanning a QR code or entering the setup key manually.'
35 + 'content': 'Users configure the second verification step from their profile by scanning a QR code or entering the setup key manually.'
37 37  },{
38 - 'title': 'Familiar login flow',
37 + 'title': 'Login verification',
39 39   'icon': 'sign-in',
40 - 'content': 'After the normal login, users enter the configured verification code before accessing XWiki.'
39 + 'content': 'After the normal login, users enter the verification code generated by their authenticator app.'
41 41  },{
42 - 'title': 'Profile management',
43 - 'icon': 'user',
44 - 'content': 'Users can review MFA status, manage recovery codes and remove trusted devices from their profile.'
41 + 'title': 'Trusted browser option',
42 + 'icon': 'desktop',
43 + 'content': 'Users can trust the current browser for the configured duration after successful verification.'
45 45  }])
46 46  
47 -#set ($recoveryItems = [{
46 +#set ($selfServiceItems = [{
48 48   'title': 'Recovery codes',
49 49   'icon': 'life-ring',
50 50   'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
... ... @@ -51,11 +51,25 @@
51 51  },{
52 52   'title': 'Trusted devices',
53 53   'icon': 'desktop',
54 - 'content': 'Trusted browsers or devices can skip repeated MFA prompts for a configured period.'
53 + 'content': 'Trusted devices can be reviewed and removed from the user profile.'
55 55  },{
56 - 'title': 'Administrator reset',
55 + 'title': 'Profile management',
56 + 'icon': 'user',
57 + 'content': 'Users can review status, generate recovery codes, manage trusted devices and reset their setup.'
58 +}])
59 +
60 +#set ($adminSupportItems = [{
61 + 'title': 'User status',
62 + 'icon': 'user',
63 + 'content': 'Administrators can open a user profile and check the verification status for that account.'
64 +},{
65 + 'title': 'Setup reset',
57 57   'icon': 'refresh',
58 - 'content': 'Administrators can reset a user MFA setup when the user needs to restart the configuration process.'
67 + 'content': 'Administrators can reset the setup when a user needs to restart the configuration process.'
68 +},{
69 + 'title': 'Controlled recovery',
70 + 'icon': 'unlock-alt',
71 + 'content': 'Resetting the setup removes the authenticator configuration, recovery codes and trusted devices for that user.'
59 59  }])
60 60  
61 61  #set ($rolloutItems = [{
... ... @@ -62,17 +62,17 @@
62 62   'title': 'Start with a pilot group',
63 63   'content': 'Test the extension with administrators or a small user group before enabling it widely.'
64 64  },{
65 - 'title': 'Define the MFA policy',
66 - 'content': 'Decide whether MFA should be optional, required for administrators, or required for all users.'
78 + 'title': 'Define the rollout policy',
79 + 'content': 'Decide whether additional verification should be optional at first or required for all users.'
67 67  },{
68 68   'title': 'Configure recovery options',
69 - 'content': 'Choose whether recovery codes and trusted devices should be enabled.'
82 + 'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
70 70  },{
71 71   'title': 'Inform users',
72 - 'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
85 + 'content': 'Explain how users configure the authenticator app, save recovery codes and manage trusted devices.'
73 73  },{
74 74   'title': 'Monitor adoption',
75 - 'content': 'Use the administration overview to identify users who still need to configure MFA.'
88 + 'content': 'Use the administration overview to identify users who still need to configure protection.'
76 76  }])
77 77  
78 78  {{html clean="false"}}
... ... @@ -81,14 +81,14 @@
81 81   <div class="container hero-inner">
82 82   <div class="hero-kicker">
83 83   <i class="fa fa-lock" aria-hidden="true"></i>
84 - XWiki 2FA and MFA
97 + XWiki 2FA with MFA rollout support
85 85   </div>
86 86  
87 87   <h1 id="product-title">XWiki Two-Factor Authentication</h1>
88 88  
89 89   <p class="lead">
90 - Protect XWiki logins with a second verification step using authenticator app codes,
91 - email verification codes, or both.
103 + Protect XWiki logins with authenticator app verification, recovery codes,
104 + trusted devices and administration controls for a safer rollout.
92 92   </p>
93 93  
94 94   <div class="hero-actions">
... ... @@ -105,15 +105,15 @@
105 105   <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
106 106  
107 107   <p>
108 - XWiki Two-Factor Authentication adds MFA/2FA support to the standard XWiki login flow.
109 - Users continue to sign in with their normal username and password, then confirm access with
110 - an additional verification method.
121 + XWiki Two-Factor Authentication adds an additional verification step to the standard
122 + XWiki login flow. Users continue to sign in with their normal username and password,
123 + then confirm access with a time-based code from an authenticator application.
111 111   </p>
112 112  
113 113   <p>
114 - The extension supports authenticator app codes, email-delivered verification codes, or a combined
115 - setup where both methods are required. It improves account protection without replacing the familiar
116 - XWiki authentication experience.
127 + The application has evolved beyond a simple login-code screen. It supports global
128 + enforcement, recovery codes, trusted devices, user self-service, administrator
129 + reset actions and an overview for monitoring adoption.
117 117   </p>
118 118   </article>
119 119  
... ... @@ -122,11 +122,11 @@
122 122   <ul>
123 123   <li>Works with the standard XWiki login flow</li>
124 124   <li>Supports TOTP authenticator applications</li>
125 - <li>Supports email-delivered one-time codes</li>
126 - <li>Can require app and email verification together</li>
127 - <li>Includes recovery codes for backup access</li>
138 + <li>Can require additional verification for all users</li>
139 + <li>Includes one-time recovery codes</li>
128 128   <li>Can remember trusted browsers or devices</li>
129 - <li>Includes administration and user controls</li>
141 + <li>Includes user self-service controls</li>
142 + <li>Includes an administration overview</li>
130 130   </ul>
131 131   </aside>
132 132   </div>
... ... @@ -138,7 +138,8 @@
138 138   <h2 id="capabilities-title">Main capabilities</h2>
139 139  
140 140   <p class="section-intro">
141 - A focused set of MFA/2FA features for stronger XWiki account protection without changing the standard login experience.
154 + A focused set of authentication protection features for stronger XWiki account security
155 + without replacing the familiar login experience.
142 142   </p>
143 143  
144 144   <div class="product-feature-grid">
... ... @@ -165,13 +165,14 @@
165 165   <h2 id="security-title">Useful for XWiki security and access protection</h2>
166 166  
167 167   <p>
168 - Many organizations need multi-factor authentication for internal tools, knowledge bases,
169 - intranets, documentation platforms and systems containing operational or sensitive information.
182 + Many organizations use XWiki to store internal documentation, procedures, operational
183 + knowledge and business-critical information. Adding an additional authentication factor helps
184 + reduce the risk of account compromise when a password is exposed or reused.
170 170   </p>
171 171  
172 172   <p>
173 - For XWiki, adding two-factor authentication directly to the standard login flow helps protect
174 - administrator accounts, remote users, private knowledge bases and customer or partner portals.
188 + The extension is especially useful for protecting administrator accounts, remote users,
189 + private knowledge bases and customer or partner portals.
175 175   </p>
176 176   </article>
177 177  
... ... @@ -183,7 +183,7 @@
183 183   <li>Private documentation platforms</li>
184 184   <li>Remote user access protection</li>
185 185   <li>Customer or partner portals</li>
186 - <li>Security review and NIS 2 readiness initiatives</li>
201 + <li>Security review, MFA rollout and compliance readiness</li>
187 187   </ul>
188 188   </aside>
189 189   </div>
... ... @@ -192,10 +192,11 @@
192 192  
193 193  <section aria-labelledby="admin-experience-title">
194 194   <div class="container">
195 - <h2 id="admin-experience-title">Administrator experience</h2>
210 + <h2 id="admin-experience-title">Administrator configuration and monitoring</h2>
196 196  
197 197   <p class="section-intro">
198 - Administrators can configure the MFA policy, monitor adoption and reset user MFA setups when needed.
213 + Administrators can configure the policy, define recovery options and monitor adoption
214 + from the XWiki Administration section.
199 199   </p>
200 200  
201 201   <div class="product-feature-grid">
... ... @@ -224,7 +224,7 @@
224 224  {{html clean="false"}}
225 225  
226 226   <p class="product-gallery-caption">
227 - Administration screens for configuring MFA and reviewing MFA adoption across users.
243 + Administration screens for configuring the policy and reviewing adoption across users.
228 228   </p>
229 229   </div>
230 230  </section>
... ... @@ -231,10 +231,11 @@
231 231  
232 232  <section class="product-section-muted" aria-labelledby="user-experience-title">
233 233   <div class="container">
234 - <h2 id="user-experience-title">User experience</h2>
250 + <h2 id="user-experience-title">User setup and login verification</h2>
235 235  
236 236   <p class="section-intro">
237 - Users can configure MFA from their profile and complete the second verification step during login.
253 + Users can configure the authenticator app from their profile or during the enforced setup flow,
254 + then verify future logins with a generated code.
238 238   </p>
239 239  
240 240   <div class="product-feature-grid">
... ... @@ -263,14 +263,14 @@
263 263  {{html clean="false"}}
264 264  
265 265   <p class="product-gallery-caption">
266 - User setup and login verification screens.
283 + User setup, enforced configuration and login verification screens.
267 267   </p>
268 268   </div>
269 269  </section>
270 270  
271 -<section aria-labelledby="recovery-title">
288 +<section aria-labelledby="self-service-title">
272 272   <div class="container">
273 - <h2 id="recovery-title">Recovery codes and trusted devices</h2>
290 + <h2 id="self-service-title">Recovery codes and trusted devices</h2>
274 274  
275 275   <p class="section-intro">
276 276   Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
... ... @@ -277,7 +277,7 @@
277 277   </p>
278 278  
279 279   <div class="product-feature-grid">
280 - #foreach ($entry in $recoveryItems)
297 + #foreach ($entry in $selfServiceItems)
281 281   <article class="product-feature">
282 282   <div class="card-heading">
283 283   <div class="feature-icon">
... ... @@ -294,9 +294,47 @@
294 294  {{/html}}
295 295  
296 296  {{gallery}}
297 -[[image:mfa-recovery-codes.png]]
298 -[[image:mfa-trusted-devices.png]]
299 299  [[image:mfa-user-profile-overview.png]]
315 +[[image:mfa-recovery-codes-not-generated.png]]
316 +[[image:mfa-recovery-codes-generated.png]]
317 +[[image:mfa-trusted-devices.png]]
318 +[[image:mfa-user-profile-full.png]]
319 +{{/gallery}}
320 +
321 +{{html clean="false"}}
322 +
323 + <p class="product-gallery-caption">
324 + User profile screens for recovery codes, trusted devices and self-service management.
325 + </p>
326 + </div>
327 +</section>
328 +
329 +<section class="product-section-muted" aria-labelledby="admin-support-title">
330 + <div class="container">
331 + <h2 id="admin-support-title">Administrator support and user recovery</h2>
332 +
333 + <p class="section-intro">
334 + Administrators can help users recover from lost devices or restart setup when needed.
335 + </p>
336 +
337 + <div class="product-feature-grid">
338 + #foreach ($entry in $adminSupportItems)
339 + <article class="product-feature">
340 + <div class="card-heading">
341 + <div class="feature-icon">
342 + <i class="fa fa-$entry.icon" aria-hidden="true"></i>
343 + </div>
344 + <h3>$entry.title</h3>
345 + </div>
346 +
347 + <p>$entry.content</p>
348 + </article>
349 + #end
350 + </div>
351 +
352 +{{/html}}
353 +
354 +{{gallery}}
300 300  [[image:mfa-admin-user-management.png]]
301 301  {{/gallery}}
302 302  
... ... @@ -303,11 +303,81 @@
303 303  {{html clean="false"}}
304 304  
305 305   <p class="product-gallery-caption">
306 - Recovery codes, trusted devices and user profile management.
361 + Administrator view for checking and resetting a user setup.
307 307   </p>
308 308   </div>
309 309  </section>
310 310  
366 +<section aria-labelledby="faq-title">
367 + <div class="container">
368 + <h2 id="faq-title">Frequently asked questions</h2>
369 +
370 + <p class="section-intro">
371 + Common questions about how the extension works, how users configure it and how administrators can manage rollout and recovery.
372 + </p>
373 +
374 + <div class="resource-content">
375 + <details class="resource-faq-item">
376 + <summary>Does this extension replace the standard XWiki login?</summary>
377 + <p>
378 + No. Users still sign in with their normal XWiki username and password. The extension adds
379 + an additional verification step after the standard login check.
380 + </p>
381 + </details>
382 +
383 + <details class="resource-faq-item">
384 + <summary>Which verification method is used?</summary>
385 + <p>
386 + Users verify access with time-based codes generated by an authenticator application.
387 + The setup page provides a QR code and a manual setup key.
388 + </p>
389 + </details>
390 +
391 + <details class="resource-faq-item">
392 + <summary>Can the second verification step be required for all users?</summary>
393 + <p>
394 + Yes. Administrators can make the verification step optional or required for all users
395 + from the XWiki Administration section.
396 + </p>
397 + </details>
398 +
399 + <details class="resource-faq-item">
400 + <summary>What happens if a user loses access to the authenticator app?</summary>
401 + <p>
402 + Recovery codes can provide backup access when enabled. Administrators can also reset
403 + the user setup so the configuration process can be restarted.
404 + </p>
405 + </details>
406 +
407 + <details class="resource-faq-item">
408 + <summary>Can trusted browsers or devices be disabled?</summary>
409 + <p>
410 + Yes. Administrators can configure how long trusted devices remain valid. Setting the
411 + trusted-device duration to 0 disables this option.
412 + </p>
413 + </details>
414 +
415 + <details class="resource-faq-item">
416 + <summary>Is this only a basic 2FA login-code screen?</summary>
417 + <p>
418 + No. The main login mechanism is two-factor authentication, but the application also includes
419 + features needed for a safer organization-wide rollout: enforcement policy, recovery codes,
420 + trusted devices, user self-service, administrator monitoring and administrator reset actions.
421 + </p>
422 + </details>
423 +
424 + <details class="resource-faq-item">
425 + <summary>Is this enough for compliance on its own?</summary>
426 + <p>
427 + No. This extension provides an important access-protection control, but it should be part
428 + of a broader security and compliance approach that includes permissions, upgrades,
429 + infrastructure, monitoring and operational procedures.
430 + </p>
431 + </details>
432 + </div>
433 + </div>
434 +</section>
435 +
311 311  <section class="product-section-muted" aria-labelledby="rollout-title">
312 312   <div class="container">
313 313   <div class="product-layout">
... ... @@ -315,8 +315,9 @@
315 315   <h2 id="rollout-title">Rollout recommendations</h2>
316 316  
317 317   <p>
318 - For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
319 - This helps validate the configuration, prepare user communication and reduce support issues.
443 + For a smooth rollout, start with a small administrator or pilot group before requiring
444 + the additional verification step for everyone. This helps validate the configuration,
445 + prepare user communication and reduce support issues.
320 320   </p>
321 321  
322 322   <ol class="process-list">
... ... @@ -340,7 +340,7 @@
340 340   <li>XWiki version</li>
341 341   <li>Single wiki or wiki farm with subwikis</li>
342 342   <li>Current authentication setup</li>
343 - <li>Optional or globally required MFA policy</li>
469 + <li>Optional or required rollout policy</li>
344 344   <li>Trusted-device policy</li>
345 345   <li>Recovery-code policy</li>
346 346   <li>Rollout communication needs</li>
... ... @@ -356,7 +356,7 @@
356 356   <h2 id="cta-title">Interested in using this extension?</h2>
357 357  
358 358   <p>
359 - Send a short message with your XWiki version, current authentication setup and MFA rollout goal.
485 + Send a short message with your XWiki version, current authentication setup and rollout goal.
360 360   </p>
361 361  
362 362   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
mfa-admin-user-management.png
Size
... ... @@ -1,1 +1,1 @@
1 -26.9 KB
1 +90.8 KB
Content
mfa-recovery-codes-generated.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +38.5 KB
Content
mfa-trusted-devices.png
Author
... ... @@ -1,0 +1,1 @@
1 +XWiki.Admin
Size
... ... @@ -1,0 +1,1 @@
1 +59.1 KB
Content