Changes for page XWiki Two-Factor Authentication

Last modified by Agnease on 2026/06/24 16:39

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Siblings
- Content
- Comments
- Attachments (13)
- History
- Information
- Likes

From 21.1 to 22.1 From 22.6 to 23.1

From version 22.1

edited by Agnease
on 2026/06/24 14:58

Change comment: Upload new image "mfa-recovery-codes-generated.png", version 1.1

To version 22.6

edited by Agnease
on 2026/06/24 15:24

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -2,60 +2,105 @@
  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
  #set ($discard = $xwiki.ssx.use('products.WebHome'))
--#set ($mainCapabilityItems = [{
--  'title': 'Second verification step',
--  'icon': 'key',
--  'content': 'Add an additional verification screen after the normal XWiki username and password login.'
++#set ($businessValueItems = [{
++  'title': 'Reduce account compromise risk',
++  'icon': 'shield',
++  'content': 'Add a second verification step after password login to better protect private XWiki content and administrator accounts.'
  },{
--  'title': 'Authenticator app codes',
--  'icon': 'mobile',
--  'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
++  'title': 'Keep the standard XWiki experience',
++  'icon': 'sign-in',
++  'content': 'Extend the familiar XWiki login flow instead of replacing it with a completely different authentication experience.'
  },{
--  'title': 'Email verification codes',
--  'icon': 'envelope-o',
--  'content': 'Send one-time verification codes by email when this method is enabled or combined with app codes.'
++  'title': 'Support a controlled rollout',
++  'icon': 'tasks',
++  'content': 'Start with optional MFA, then require MFA for all users when the organization is ready.'
  }])
--#set ($adminExperienceItems = [{
--  'title': 'MFA policy',
++#set ($adminControlItems = [{
++  'title': 'Global MFA policy',
    'icon': 'cog',
--  'content': 'Make MFA optional or required for all users from the XWiki Administration section.'
++  'content': 'Administrators can decide whether MFA is optional or required for all users.'
  },{
--  'title': 'Recovery and trusted devices',
--  'icon': 'shield',
--  'content': 'Configure recovery-code count and trusted-device duration according to the organization security policy.'
++  'title': 'Recovery policy',
++  'icon': 'life-ring',
++  'content': 'Configure how many one-time recovery codes are generated for each user, or disable recovery codes if needed.'
  },{
--  'title': 'Administration overview',
++  'title': 'Trusted-device policy',
++  'icon': 'desktop',
++  'content': 'Configure how long a trusted browser remains valid, or disable trusted devices for stricter environments.'
++}])
++
++#set ($adminVisibilityItems = [{
++  'title': 'MFA adoption overview',
++  'icon': 'bar-chart',
++  'content': 'Review how many users are scanned, how many have MFA configured, and how many still need attention.'
++},{
++  'title': 'Filterable user table',
    'icon': 'table',
--  'content': 'Review MFA adoption across users with summary indicators and a filterable Live Data table.'
++  'content': 'Use the Live Data table to review configured users, recovery-code status and trusted-device usage.'
++},{
++  'title': 'Operational monitoring',
++  'icon': 'search',
++  'content': 'Identify accounts with missing recovery codes or trusted devices from the administration area.'
  }])
--#set ($userExperienceItems = [{
++#set ($userAdoptionItems = [{
    'title': 'Self-service setup',
    'icon': 'qrcode',
--  'content': 'Users configure MFA from their profile by scanning a QR code or entering the setup key manually.'
++  'content': 'Users can configure MFA by scanning a QR code with their authenticator application.'
  },{
--  'title': 'Familiar login flow',
--  'icon': 'sign-in',
--  'content': 'After the normal login, users enter the configured verification code before accessing XWiki.'
++  'title': 'Manual setup details',
++  'icon': 'keyboard-o',
++  'content': 'Users can also enter the account name and secret key manually if they cannot scan the QR code.'
  },{
--  'title': 'Profile management',
--  'icon': 'user',
--  'content': 'Users can review MFA status, manage recovery codes and remove trusted devices from their profile.'
++  'title': 'Enforced setup flow',
++  'icon': 'lock',
++  'content': 'When MFA is required, users are guided to complete setup before continuing.'
  }])
--#set ($recoveryItems = [{
--  'title': 'Recovery codes',
++#set ($loginProtectionItems = [{
++  'title': 'Second login step',
++  'icon': 'key',
++  'content': 'After the normal username and password login, users enter the verification code from their authenticator app.'
++},{
++  'title': 'Backup login option',
++  'icon': 'unlock-alt',
++  'content': 'If recovery codes are enabled, users can use a recovery code when they lose access to the authenticator app.'
++},{
++  'title': 'Trusted browser option',
++  'icon': 'desktop',
++  'content': 'Users can trust the current browser for the configured duration after successful verification.'
++}])
++
++#set ($continuityItems = [{
++  'title': 'One-time recovery codes',
    'icon': 'life-ring',
--  'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
++  'content': 'Recovery codes help users regain access if they lose their authenticator device.'
  },{
--  'title': 'Trusted devices',
++  'icon': 'life-ring',
++  'content': 'Recovery codes help users regain access if they lose their authenticator device.'
++},{
++  'title': 'Codes shown once',
++  'icon': 'eye-slash',
++  'content': 'Recovery codes are displayed only once and each code can be used a single time.'
++},{
++  'title': 'Trusted-device management',
    'icon': 'desktop',
--  'content': 'Trusted browsers or devices can skip repeated MFA prompts for a configured period.'
++  'content': 'Users can review trusted devices, identify the current browser and remove devices they no longer use.'
++}])
++
++#set ($adminSupportItems = [{
++  'title': 'User MFA status',
++  'icon': 'user',
++  'content': 'Administrators can open a user profile and check whether MFA is configured for that account.'
  },{
--  'title': 'Administrator reset',
++  'title': 'Helpdesk recovery',
    'icon': 'refresh',
--  'content': 'Administrators can reset a user MFA setup when the user needs to restart the configuration process.'
++  'content': 'Administrators can reset MFA when a user loses access to the authenticator app or needs to restart setup.'
++},{
++  'title': 'Clean reset',
++  'icon': 'trash',
++  'content': 'Resetting MFA removes the authenticator setup, recovery codes and trusted devices for that user.'
  }])
  #set ($rolloutItems = [{
@@ -63,12 +63,12 @@
    'content': 'Test the extension with administrators or a small user group before enabling it widely.'
  },{
    'title': 'Define the MFA policy',
--  'content': 'Decide whether MFA should be optional, required for administrators, or required for all users.'
++  'content': 'Decide whether MFA should be optional at first or required for all users.'
  },{
    'title': 'Configure recovery options',
--  'content': 'Choose whether recovery codes and trusted devices should be enabled.'
++  'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
  },{
--  'title': 'Inform users',
++  'title': 'Prepare user communication',
    'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
  },{
    'title': 'Monitor adoption',
@@ -87,8 +87,8 @@
      <h1 id="product-title">XWiki Two-Factor Authentication</h1>
      <p class="lead">
--      Protect XWiki logins with a second verification step using authenticator app codes,
--      email verification codes, or both.
++      Protect XWiki logins with authenticator app verification, recovery codes, trusted devices
++      and administrator visibility.
      </p>
      <div class="hero-actions">
@@ -102,18 +102,18 @@
    <div class="container">
      <div class="product-layout">
        <article class="product-summary-card">
--        <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
++        <h2 id="overview-title">MFA protection built for XWiki</h2>
          <p>
--          XWiki Two-Factor Authentication adds MFA/2FA support to the standard XWiki login flow.
--          Users continue to sign in with their normal username and password, then confirm access with
--          an additional verification method.
++          XWiki Two-Factor Authentication adds a second verification step to the standard XWiki login flow.
++          Users continue to sign in with their normal username and password, then confirm access with a
++          time-based code generated by an authenticator application.
          </p>
          <p>
--          The extension supports authenticator app codes, email-delivered verification codes, or a combined
--          setup where both methods are required. It improves account protection without replacing the familiar
--          XWiki authentication experience.
++          The extension is designed for organizations that use XWiki to manage internal documentation,
++          procedures, knowledge bases, customer portals or other private collaboration spaces where
++          stronger account protection is needed.
          </p>
        </article>
@@ -121,12 +121,12 @@
          <h3 id="quick-facts-title">Quick facts</h3>
          <ul>
            <li>Works with the standard XWiki login flow</li>
--          <li>Supports TOTP authenticator applications</li>
--          <li>Supports email-delivered one-time codes</li>
--          <li>Can require app and email verification together</li>
--          <li>Includes recovery codes for backup access</li>
--          <li>Can remember trusted browsers or devices</li>
--          <li>Includes administration and user controls</li>
++          <li>Uses TOTP authenticator applications</li>
++          <li>Can require MFA for all users</li>
++          <li>Includes one-time recovery codes</li>
++          <li>Supports trusted browsers or devices</li>
++          <li>Includes user self-service controls</li>
++          <li>Includes administration monitoring</li>
          </ul>
        </aside>
      </div>
@@ -133,16 +133,16 @@
    </div>
  </section>
--<section aria-labelledby="capabilities-title">
++<section class="product-section-muted" aria-labelledby="business-value-title">
    <div class="container">
--    <h2 id="capabilities-title">Main capabilities</h2>
++    <h2 id="business-value-title">Business value</h2>
      <p class="section-intro">
--      A focused set of MFA/2FA features for stronger XWiki account protection without changing the standard login experience.
++      The extension helps organizations strengthen XWiki access protection without making login and account recovery unnecessarily complex.
      </p>
      <div class="product-feature-grid">
--      #foreach ($entry in $mainCapabilityItems)
++      #foreach ($entry in $businessValueItems)
          <article class="product-feature">
            <div class="card-heading">
              <div class="feature-icon">
@@ -158,48 +158,53 @@
    </div>
  </section>
--<section class="product-section-muted" aria-labelledby="security-title">
++<section aria-labelledby="admin-control-title">
    <div class="container">
--    <div class="product-layout">
--      <article class="product-summary-card">
--        <h2 id="security-title">Useful for XWiki security and access protection</h2>
++    <h2 id="admin-control-title">Administrator control</h2>
--        <p>
--          Many organizations need multi-factor authentication for internal tools, knowledge bases,
--          intranets, documentation platforms and systems containing operational or sensitive information.
--        </p>
++    <p class="section-intro">
++      Administrators configure the MFA policy directly from the XWiki Administration section, without editing configuration files for day-to-day policy changes.
++    </p>
--        <p>
--          For XWiki, adding two-factor authentication directly to the standard login flow helps protect
--          administrator accounts, remote users, private knowledge bases and customer or partner portals.
--        </p>
--      </article>
++    <div class="product-feature-grid">
++      #foreach ($entry in $adminControlItems)
++        <article class="product-feature">
++          <div class="card-heading">
++            <div class="feature-icon">
++              <i class="fa fa-$entry.icon" aria-hidden="true"></i>
++            </div>
++            <h3>$entry.title</h3>
++          </div>
--      <aside class="product-info-card" aria-labelledby="use-cases-title">
--        <h3 id="use-cases-title">Typical use cases</h3>
--        <ul>
--          <li>Administrator account protection</li>
--          <li>Internal knowledge base security</li>
--          <li>Private documentation platforms</li>
--          <li>Remote user access protection</li>
--          <li>Customer or partner portals</li>
--          <li>Security review and NIS 2 readiness initiatives</li>
--        </ul>
--      </aside>
++          <p>$entry.content</p>
++        </article>
++      #end
      </div>
++
++{{/html}}
++
++{{gallery}}
++[[image:mfa-admin-configuration.png]]
++{{/gallery}}
++
++{{html clean="false"}}
++
++    <p class="product-gallery-caption">
++      Administration configuration for requiring MFA, setting the authenticator issuer name, recovery-code count and trusted-device duration.
++    </p>
    </div>
  </section>
--<section aria-labelledby="admin-experience-title">
++<section class="product-section-muted" aria-labelledby="admin-visibility-title">
    <div class="container">
--    <h2 id="admin-experience-title">Administrator experience</h2>
++    <h2 id="admin-visibility-title">Administration overview and monitoring</h2>
      <p class="section-intro">
--      Administrators can configure the MFA policy, monitor adoption and reset user MFA setups when needed.
++      The administration overview helps teams understand MFA adoption and identify users who still need to complete setup or maintain recovery options.
      </p>
      <div class="product-feature-grid">
--      #foreach ($entry in $adminExperienceItems)
++      #foreach ($entry in $adminVisibilityItems)
          <article class="product-feature">
            <div class="card-heading">
              <div class="feature-icon">
@@ -216,7 +216,6 @@
  {{/html}}
  {{gallery}}
--[[image:mfa-admin-configuration.png]]
  [[image:mfa-admin-overview.png]]
  [[image:mfa-admin-full.png]]
  {{/gallery}}
@@ -224,21 +224,21 @@
  {{html clean="false"}}
      <p class="product-gallery-caption">
--      Administration screens for configuring MFA and reviewing MFA adoption across users.
++      MFA adoption indicators and a filterable user overview for administrators.
      </p>
    </div>
  </section>
--<section class="product-section-muted" aria-labelledby="user-experience-title">
++<section aria-labelledby="user-adoption-title">
    <div class="container">
--    <h2 id="user-experience-title">User experience</h2>
++    <h2 id="user-adoption-title">User setup and adoption</h2>
      <p class="section-intro">
--      Users can configure MFA from their profile and complete the second verification step during login.
++      Users can configure MFA themselves by scanning a QR code or entering the setup information manually in their authenticator application.
      </p>
      <div class="product-feature-grid">
--      #foreach ($entry in $userExperienceItems)
++      #foreach ($entry in $userAdoptionItems)
          <article class="product-feature">
            <div class="card-heading">
              <div class="feature-icon">
@@ -257,6 +257,42 @@
  {{gallery}}
  [[image:mfa-user-setup-qr.png]]
  [[image:mfa-login-verification-setup.png]]
++{{/gallery}}
++
++{{html clean="false"}}
++
++    <p class="product-gallery-caption">
++      Profile-based setup and enforced setup during login when MFA is required.
++    </p>
++  </div>
++</section>
++
++<section class="product-section-muted" aria-labelledby="login-protection-title">
++  <div class="container">
++    <h2 id="login-protection-title">Login protection</h2>
++
++    <p class="section-intro">
++      After MFA is configured, XWiki asks for a verification code after the normal username and password step.
++    </p>
++
++    <div class="product-feature-grid">
++      #foreach ($entry in $loginProtectionItems)
++        <article class="product-feature">
++          <div class="card-heading">
++            <div class="feature-icon">
++              <i class="fa fa-$entry.icon" aria-hidden="true"></i>
++            </div>
++            <h3>$entry.title</h3>
++          </div>
++
++          <p>$entry.content</p>
++        </article>
++      #end
++    </div>
++
++{{/html}}
++
++{{gallery}}
  [[image:mfa-login-verification-code.png]]
  {{/gallery}}
@@ -263,21 +263,21 @@
  {{html clean="false"}}
      <p class="product-gallery-caption">
--      User setup and login verification screens.
++      Verification screen displayed after the standard XWiki username and password login.
      </p>
    </div>
  </section>
--<section aria-labelledby="recovery-title">
++<section aria-labelledby="continuity-title">
    <div class="container">
--    <h2 id="recovery-title">Recovery codes and trusted devices</h2>
++    <h2 id="continuity-title">Recovery codes and trusted devices</h2>
      <p class="section-intro">
--      Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
++      Recovery codes and trusted devices help balance stronger access protection with practical day-to-day usability.
      </p>
      <div class="product-feature-grid">
--      #foreach ($entry in $recoveryItems)
++      #foreach ($entry in $continuityItems)
          <article class="product-feature">
            <div class="card-heading">
              <div class="feature-icon">
@@ -294,9 +294,47 @@
  {{/html}}
  {{gallery}}
--[[image:mfa-recovery-codes.png]]
++[[image:mfa-recovery-codes-not-generated.png]]
++[[image:mfa-recovery-codes-generated.png]]
  [[image:mfa-trusted-devices.png]]
  [[image:mfa-user-profile-overview.png]]
++[[image:mfa-user-profile-full.png]]
++{{/gallery}}
++
++{{html clean="false"}}
++
++    <p class="product-gallery-caption">
++      User profile screens for recovery-code generation, trusted-device review and MFA self-service management.
++    </p>
++  </div>
++</section>
++
++<section class="product-section-muted" aria-labelledby="admin-support-title">
++  <div class="container">
++    <h2 id="admin-support-title">Administrator support and user recovery</h2>
++
++    <p class="section-intro">
++      Administrators can help users recover from lost devices or restart MFA setup when needed.
++    </p>
++
++    <div class="product-feature-grid">
++      #foreach ($entry in $adminSupportItems)
++        <article class="product-feature">
++          <div class="card-heading">
++            <div class="feature-icon">
++              <i class="fa fa-$entry.icon" aria-hidden="true"></i>
++            </div>
++            <h3>$entry.title</h3>
++          </div>
++
++          <p>$entry.content</p>
++        </article>
++      #end
++    </div>
++
++{{/html}}
++
++{{gallery}}
  [[image:mfa-admin-user-management.png]]
  {{/gallery}}
@@ -303,12 +303,12 @@
  {{html clean="false"}}
      <p class="product-gallery-caption">
--      Recovery codes, trusted devices and user profile management.
++      Administrator view for checking and resetting a user MFA setup.
      </p>
    </div>
  </section>
--<section class="product-section-muted" aria-labelledby="rollout-title">
++<section aria-labelledby="rollout-title">
    <div class="container">
      <div class="product-layout">
        <article class="product-summary-card">