Changes for page XWiki Two-Factor Authentication

Last modified by Agnease on 2026/06/24 16:39

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Siblings
- Content
- Comments
- Attachments (13)
- History
- Information
- Likes

From 22.2 to 22.1 From 29.1 to 28.1

From version 28.1

edited by Agnease
on 2026/06/24 16:39

Change comment: Deleted image "1-linkedin-2fa-authenticator.png"

To version 22.2

edited by Agnease
on 2026/06/24 14:58

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)
Attachments (1 modified, 0 added, 0 removed)
- mfa-admin-user-management.png

Details

Page properties

Content

@@ -1,5 +1,6 @@
  {{velocity}}
  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
++#set ($discard = $xwiki.ssx.use('products.WebHome'))
  #set ($mainCapabilityItems = [{
    'title': 'Second verification step',
@@ -10,40 +10,40 @@
    'icon': 'mobile',
    'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
  },{
--  'title': 'Recovery and trusted devices',
--  'icon': 'shield',
--  'content': 'Provide backup access with recovery codes and reduce repeated prompts on trusted browsers.'
++  'title': 'Email verification codes',
++  'icon': 'envelope-o',
++  'content': 'Send one-time verification codes by email when this method is enabled or combined with app codes.'
  }])
  #set ($adminExperienceItems = [{
--  'title': 'Rollout policy',
++  'title': 'MFA policy',
    'icon': 'cog',
--  'content': 'Make additional verification optional at first or required for all users from the XWiki Administration section.'
++  'content': 'Make MFA optional or required for all users from the XWiki Administration section.'
  },{
--  'title': 'Configuration options',
--  'icon': 'sliders',
--  'content': 'Set the authenticator issuer name, recovery-code count and trusted-device duration.'
++  'title': 'Recovery and trusted devices',
++  'icon': 'shield',
++  'content': 'Configure recovery-code count and trusted-device duration according to the organization security policy.'
  },{
    'title': 'Administration overview',
    'icon': 'table',
--  'content': 'Review adoption with summary indicators and a filterable Live Data table.'
++  'content': 'Review MFA adoption across users with summary indicators and a filterable Live Data table.'
  }])
  #set ($userExperienceItems = [{
    'title': 'Self-service setup',
    'icon': 'qrcode',
--  'content': 'Users configure the second verification step from their profile by scanning a QR code or entering the setup key manually.'
++  'content': 'Users configure MFA from their profile by scanning a QR code or entering the setup key manually.'
  },{
--  'title': 'Login verification',
++  'title': 'Familiar login flow',
    'icon': 'sign-in',
--  'content': 'After the normal login, users enter the verification code generated by their authenticator app.'
++  'content': 'After the normal login, users enter the configured verification code before accessing XWiki.'
  },{
--  'title': 'Trusted browser option',
--  'icon': 'desktop',
--  'content': 'Users can trust the current browser for the configured duration after successful verification.'
++  'title': 'Profile management',
++  'icon': 'user',
++  'content': 'Users can review MFA status, manage recovery codes and remove trusted devices from their profile.'
  }])
--#set ($selfServiceItems = [{
++#set ($recoveryItems = [{
    'title': 'Recovery codes',
    'icon': 'life-ring',
    'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
@@ -50,25 +50,11 @@
  },{
    'title': 'Trusted devices',
    'icon': 'desktop',
--  'content': 'Trusted devices can be reviewed and removed from the user profile.'
++  'content': 'Trusted browsers or devices can skip repeated MFA prompts for a configured period.'
  },{
--  'title': 'Profile management',
--  'icon': 'user',
--  'content': 'Users can review status, generate recovery codes, manage trusted devices and reset their setup.'
--}])
--
--#set ($adminSupportItems = [{
--  'title': 'User status',
--  'icon': 'user',
--  'content': 'Administrators can open a user profile and check the verification status for that account.'
--},{
--  'title': 'Setup reset',
++  'title': 'Administrator reset',
    'icon': 'refresh',
--  'content': 'Administrators can reset the setup when a user needs to restart the configuration process.'
--},{
--  'title': 'Controlled recovery',
--  'icon': 'unlock-alt',
--  'content': 'Resetting the setup removes the authenticator configuration, recovery codes and trusted devices for that user.'
++  'content': 'Administrators can reset a user MFA setup when the user needs to restart the configuration process.'
  }])
  #set ($rolloutItems = [{
@@ -75,17 +75,17 @@
    'title': 'Start with a pilot group',
    'content': 'Test the extension with administrators or a small user group before enabling it widely.'
  },{
--  'title': 'Define the rollout policy',
--  'content': 'Decide whether additional verification should be optional at first or required for all users.'
++  'title': 'Define the MFA policy',
++  'content': 'Decide whether MFA should be optional, required for administrators, or required for all users.'
  },{
    'title': 'Configure recovery options',
--  'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
++  'content': 'Choose whether recovery codes and trusted devices should be enabled.'
  },{
    'title': 'Inform users',
--  'content': 'Explain how users configure the authenticator app, save recovery codes and manage trusted devices.'
++  'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
  },{
    'title': 'Monitor adoption',
--  'content': 'Use the administration overview to identify users who still need to configure protection.'
++  'content': 'Use the administration overview to identify users who still need to configure MFA.'
  }])
  {{html clean="false"}}
@@ -94,14 +94,14 @@
    <div class="container hero-inner">
      <div class="hero-kicker">
        <i class="fa fa-lock" aria-hidden="true"></i>
--      XWiki 2FA with MFA rollout support
++      XWiki 2FA and MFA
      </div>
      <h1 id="product-title">XWiki Two-Factor Authentication</h1>
      <p class="lead">
--      Protect XWiki logins with authenticator app verification, recovery codes,
--      trusted devices and administration controls for a safer rollout.
++      Protect XWiki logins with a second verification step using authenticator app codes,
++      email verification codes, or both.
      </p>
      <div class="hero-actions">
@@ -118,15 +118,15 @@
          <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
          <p>
--          XWiki Two-Factor Authentication adds an additional verification step to the standard
--          XWiki login flow. Users continue to sign in with their normal username and password,
--          then confirm access with a time-based code from an authenticator application.
++          XWiki Two-Factor Authentication adds MFA/2FA support to the standard XWiki login flow.
++          Users continue to sign in with their normal username and password, then confirm access with
++          an additional verification method.
          </p>
          <p>
--          The application has evolved beyond a simple login-code screen. It supports global
--          enforcement, recovery codes, trusted devices, user self-service, administrator
--          reset actions and an overview for monitoring adoption.
++          The extension supports authenticator app codes, email-delivered verification codes, or a combined
++          setup where both methods are required. It improves account protection without replacing the familiar
++          XWiki authentication experience.
          </p>
        </article>
@@ -135,11 +135,11 @@
          <ul>
            <li>Works with the standard XWiki login flow</li>
            <li>Supports TOTP authenticator applications</li>
--          <li>Can require additional verification for all users</li>
--          <li>Includes one-time recovery codes</li>
++          <li>Supports email-delivered one-time codes</li>
++          <li>Can require app and email verification together</li>
++          <li>Includes recovery codes for backup access</li>
            <li>Can remember trusted browsers or devices</li>
--          <li>Includes user self-service controls</li>
--          <li>Includes an administration overview</li>
++          <li>Includes administration and user controls</li>
          </ul>
        </aside>
      </div>
@@ -151,8 +151,7 @@
      <h2 id="capabilities-title">Main capabilities</h2>
      <p class="section-intro">
--      A focused set of authentication protection features for stronger XWiki account security
--      without replacing the familiar login experience.
++      A focused set of MFA/2FA features for stronger XWiki account protection without changing the standard login experience.
      </p>
      <div class="product-feature-grid">
@@ -179,14 +179,13 @@
          <h2 id="security-title">Useful for XWiki security and access protection</h2>
          <p>
--          Many organizations use XWiki to store internal documentation, procedures, operational
--          knowledge and business-critical information. Adding an additional authentication factor helps
--          reduce the risk of account compromise when a password is exposed or reused.
++          Many organizations need multi-factor authentication for internal tools, knowledge bases,
++          intranets, documentation platforms and systems containing operational or sensitive information.
          </p>
          <p>
--          The extension is especially useful for protecting administrator accounts, remote users,
--          private knowledge bases and customer or partner portals.
++          For XWiki, adding two-factor authentication directly to the standard login flow helps protect
++          administrator accounts, remote users, private knowledge bases and customer or partner portals.
          </p>
        </article>
@@ -198,7 +198,7 @@
            <li>Private documentation platforms</li>
            <li>Remote user access protection</li>
            <li>Customer or partner portals</li>
--          <li>Security review, MFA rollout and compliance readiness</li>
++          <li>Security review and NIS 2 readiness initiatives</li>
          </ul>
        </aside>
      </div>
@@ -207,11 +207,10 @@
  <section aria-labelledby="admin-experience-title">
    <div class="container">
--    <h2 id="admin-experience-title">Administrator configuration and monitoring</h2>
++    <h2 id="admin-experience-title">Administrator experience</h2>
      <p class="section-intro">
--      Administrators can configure the policy, define recovery options and monitor adoption
--      from the XWiki Administration section.
++      Administrators can configure the MFA policy, monitor adoption and reset user MFA setups when needed.
      </p>
      <div class="product-feature-grid">
@@ -240,7 +240,7 @@
  {{html clean="false"}}
      <p class="product-gallery-caption">
--      Administration screens for configuring the policy and reviewing adoption across users.
++      Administration screens for configuring MFA and reviewing MFA adoption across users.
      </p>
    </div>
  </section>
@@ -247,11 +247,10 @@
  <section class="product-section-muted" aria-labelledby="user-experience-title">
    <div class="container">
--    <h2 id="user-experience-title">User setup and login verification</h2>
++    <h2 id="user-experience-title">User experience</h2>
      <p class="section-intro">
--      Users can configure the authenticator app from their profile or during the enforced setup flow,
--      then verify future logins with a generated code.
++      Users can configure MFA from their profile and complete the second verification step during login.
      </p>
      <div class="product-feature-grid">
@@ -280,14 +280,14 @@
  {{html clean="false"}}
      <p class="product-gallery-caption">
--      User setup, enforced configuration and login verification screens.
++      User setup and login verification screens.
      </p>
    </div>
  </section>
--<section aria-labelledby="self-service-title">
++<section aria-labelledby="recovery-title">
    <div class="container">
--    <h2 id="self-service-title">Recovery codes and trusted devices</h2>
++    <h2 id="recovery-title">Recovery codes and trusted devices</h2>
      <p class="section-intro">
        Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
@@ -294,7 +294,7 @@
      </p>
      <div class="product-feature-grid">
--      #foreach ($entry in $selfServiceItems)
++      #foreach ($entry in $recoveryItems)
          <article class="product-feature">
            <div class="card-heading">
              <div class="feature-icon">
@@ -311,10 +311,10 @@
  {{/html}}
  {{gallery}}
--[[image:mfa-user-profile-overview.png]]
  [[image:mfa-recovery-codes-not-generated.png]]
  [[image:mfa-recovery-codes-generated.png]]
  [[image:mfa-trusted-devices.png]]
++[[image:mfa-admin-user-management.png]]
  [[image:mfa-user-profile-full.png]]
  {{/gallery}}
@@ -321,118 +321,11 @@
  {{html clean="false"}}
      <p class="product-gallery-caption">
--      User profile screens for recovery codes, trusted devices and self-service management.
++      Recovery codes, trusted devices and user profile management.
      </p>
    </div>
  </section>
--<section class="product-section-muted" aria-labelledby="admin-support-title">
--  <div class="container">
--    <h2 id="admin-support-title">Administrator support and user recovery</h2>
--
--    <p class="section-intro">
--      Administrators can help users recover from lost devices or restart setup when needed.
--    </p>
--
--    <div class="product-feature-grid">
--      #foreach ($entry in $adminSupportItems)
--        <article class="product-feature">
--          <div class="card-heading">
--            <div class="feature-icon">
--              <i class="fa fa-$entry.icon" aria-hidden="true"></i>
--            </div>
--            <h3>$entry.title</h3>
--          </div>
--
--          <p>$entry.content</p>
--        </article>
--      #end
--    </div>
--
--{{/html}}
--
--{{gallery}}
--[[image:mfa-admin-user-management.png]]
--{{/gallery}}
--
--{{html clean="false"}}
--
--    <p class="product-gallery-caption">
--      Administrator view for checking and resetting a user setup.
--    </p>
--  </div>
--</section>
--
--<section aria-labelledby="faq-title">
--  <div class="container">
--    <h2 id="faq-title">Frequently asked questions</h2>
--
--    <p class="section-intro">
--      Common questions about how the extension works, how users configure it and how administrators can manage rollout and recovery.
--    </p>
--
--    <div class="resource-content">
--      <details class="resource-faq-item">
--        <summary>Does this extension replace the standard XWiki login?</summary>
--        <p>
--          No. Users still sign in with their normal XWiki username and password. The extension adds
--          an additional verification step after the standard login check.
--        </p>
--      </details>
--
--      <details class="resource-faq-item">
--        <summary>Which verification method is used?</summary>
--        <p>
--          Users verify access with time-based codes generated by an authenticator application.
--          The setup page provides a QR code and a manual setup key.
--        </p>
--      </details>
--
--      <details class="resource-faq-item">
--        <summary>Can the second verification step be required for all users?</summary>
--        <p>
--          Yes. Administrators can make the verification step optional or required for all users
--          from the XWiki Administration section.
--        </p>
--      </details>
--
--      <details class="resource-faq-item">
--        <summary>What happens if a user loses access to the authenticator app?</summary>
--        <p>
--          Recovery codes can provide backup access when enabled. Administrators can also reset
--          the user setup so the configuration process can be restarted.
--        </p>
--      </details>
--
--      <details class="resource-faq-item">
--        <summary>Can trusted browsers or devices be disabled?</summary>
--        <p>
--          Yes. Administrators can configure how long trusted devices remain valid. Setting the
--          trusted-device duration to 0 disables this option.
--        </p>
--      </details>
--
--      <details class="resource-faq-item">
--        <summary>Is this only a basic 2FA login-code screen?</summary>
--        <p>
--          No. The main login mechanism is two-factor authentication, but the application also includes
--          features needed for a safer organization-wide rollout: enforcement policy, recovery codes,
--          trusted devices, user self-service, administrator monitoring and administrator reset actions.
--        </p>
--      </details>
--
--      <details class="resource-faq-item">
--        <summary>Is this enough for compliance on its own?</summary>
--        <p>
--          No. This extension provides an important access-protection control, but it should be part
--          of a broader security and compliance approach that includes permissions, upgrades,
--          infrastructure, monitoring and operational procedures.
--        </p>
--      </details>
--    </div>
--  </div>
--</section>
--
  <section class="product-section-muted" aria-labelledby="rollout-title">
    <div class="container">
      <div class="product-layout">
@@ -440,9 +440,8 @@
          <h2 id="rollout-title">Rollout recommendations</h2>
          <p>
--          For a smooth rollout, start with a small administrator or pilot group before requiring
--          the additional verification step for everyone. This helps validate the configuration,
--          prepare user communication and reduce support issues.
++          For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
++          This helps validate the configuration, prepare user communication and reduce support issues.
          </p>
          <ol class="process-list">
@@ -466,7 +466,7 @@
            <li>XWiki version</li>
            <li>Single wiki or wiki farm with subwikis</li>
            <li>Current authentication setup</li>
--          <li>Optional or required rollout policy</li>
++          <li>Optional or globally required MFA policy</li>
            <li>Trusted-device policy</li>
            <li>Recovery-code policy</li>
            <li>Rollout communication needs</li>
@@ -482,7 +482,7 @@
        <h2 id="cta-title">Interested in using this extension?</h2>
        <p>
--        Send a short message with your XWiki version, current authentication setup and rollout goal.
++        Send a short message with your XWiki version, current authentication setup and MFA rollout goal.
        </p>
        <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>

mfa-admin-user-management.png

Size

@@ -1,1 +1,1 @@
--90.8 KB
++26.9 KB

Content