Wiki source code of XWiki Two-Factor Authentication

Version 22.6 by Agnease on 2026/06/24 15:24

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Siblings
- Content
- Comments
- Attachments (12)
- History
- Information
- Likes

version	line-number	content
1.18	1	{{velocity}}
	2	#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
	3	#set ($discard = $xwiki.ssx.use('products.WebHome'))
10.1	4
22.6	5	#set ($businessValueItems = [{
	6	'title': 'Reduce account compromise risk',
	7	'icon': 'shield',
	8	'content': 'Add a second verification step after password login to better protect private XWiki content and administrator accounts.'
10.1	9	},{
22.6	10	'title': 'Keep the standard XWiki experience',
	11	'icon': 'sign-in',
	12	'content': 'Extend the familiar XWiki login flow instead of replacing it with a completely different authentication experience.'
10.1	13	},{
22.6	14	'title': 'Support a controlled rollout',
	15	'icon': 'tasks',
	16	'content': 'Start with optional MFA, then require MFA for all users when the organization is ready.'
10.1	17	}])
	18
22.6	19	#set ($adminControlItems = [{
	20	'title': 'Global MFA policy',
22.5	21	'icon': 'cog',
22.6	22	'content': 'Administrators can decide whether MFA is optional or required for all users.'
10.1	23	},{
22.6	24	'title': 'Recovery policy',
	25	'icon': 'life-ring',
	26	'content': 'Configure how many one-time recovery codes are generated for each user, or disable recovery codes if needed.'
10.1	27	},{
22.6	28	'title': 'Trusted-device policy',
	29	'icon': 'desktop',
	30	'content': 'Configure how long a trusted browser remains valid, or disable trusted devices for stricter environments.'
	31	}])
	32
	33	#set ($adminVisibilityItems = [{
	34	'title': 'MFA adoption overview',
	35	'icon': 'bar-chart',
	36	'content': 'Review how many users are scanned, how many have MFA configured, and how many still need attention.'
	37	},{
	38	'title': 'Filterable user table',
22.5	39	'icon': 'table',
22.6	40	'content': 'Use the Live Data table to review configured users, recovery-code status and trusted-device usage.'
	41	},{
	42	'title': 'Operational monitoring',
	43	'icon': 'search',
	44	'content': 'Identify accounts with missing recovery codes or trusted devices from the administration area.'
10.1	45	}])
	46
22.6	47	#set ($userAdoptionItems = [{
22.5	48	'title': 'Self-service setup',
	49	'icon': 'qrcode',
22.6	50	'content': 'Users can configure MFA by scanning a QR code with their authenticator application.'
10.1	51	},{
22.6	52	'title': 'Manual setup details',
	53	'icon': 'keyboard-o',
	54	'content': 'Users can also enter the account name and secret key manually if they cannot scan the QR code.'
10.1	55	},{
22.6	56	'title': 'Enforced setup flow',
	57	'icon': 'lock',
	58	'content': 'When MFA is required, users are guided to complete setup before continuing.'
	59	}])
	60
	61	#set ($loginProtectionItems = [{
	62	'title': 'Second login step',
	63	'icon': 'key',
	64	'content': 'After the normal username and password login, users enter the verification code from their authenticator app.'
	65	},{
	66	'title': 'Backup login option',
	67	'icon': 'unlock-alt',
	68	'content': 'If recovery codes are enabled, users can use a recovery code when they lose access to the authenticator app.'
	69	},{
22.5	70	'title': 'Trusted browser option',
	71	'icon': 'desktop',
	72	'content': 'Users can trust the current browser for the configured duration after successful verification.'
10.1	73	}])
	74
22.6	75	#set ($continuityItems = [{
	76	'title': 'One-time recovery codes',
22.5	77	'icon': 'life-ring',
22.6	78	'content': 'Recovery codes help users regain access if they lose their authenticator device.'
10.1	79	},{
22.6	80	'icon': 'life-ring',
	81	'content': 'Recovery codes help users regain access if they lose their authenticator device.'
	82	},{
	83	'title': 'Codes shown once',
	84	'icon': 'eye-slash',
	85	'content': 'Recovery codes are displayed only once and each code can be used a single time.'
	86	},{
	87	'title': 'Trusted-device management',
22.5	88	'icon': 'desktop',
22.6	89	'content': 'Users can review trusted devices, identify the current browser and remove devices they no longer use.'
10.1	90	}])
	91
22.3	92	#set ($adminSupportItems = [{
22.5	93	'title': 'User MFA status',
	94	'icon': 'user',
22.6	95	'content': 'Administrators can open a user profile and check whether MFA is configured for that account.'
22.3	96	},{
22.6	97	'title': 'Helpdesk recovery',
22.5	98	'icon': 'refresh',
22.6	99	'content': 'Administrators can reset MFA when a user loses access to the authenticator app or needs to restart setup.'
22.3	100	},{
22.6	101	'title': 'Clean reset',
	102	'icon': 'trash',
22.5	103	'content': 'Resetting MFA removes the authenticator setup, recovery codes and trusted devices for that user.'
22.3	104	}])
	105
10.1	106	#set ($rolloutItems = [{
22.5	107	'title': 'Start with a pilot group',
	108	'content': 'Test the extension with administrators or a small user group before enabling it widely.'
10.1	109	},{
22.5	110	'title': 'Define the MFA policy',
	111	'content': 'Decide whether MFA should be optional at first or required for all users.'
10.1	112	},{
22.5	113	'title': 'Configure recovery options',
	114	'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
10.1	115	},{
22.6	116	'title': 'Prepare user communication',
22.5	117	'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
10.1	118	},{
22.5	119	'title': 'Monitor adoption',
	120	'content': 'Use the administration overview to identify users who still need to configure MFA.'
10.1	121	}])
	122
1.18	123	{{html clean="false"}}
1.2	124
10.1	125	<section class="hero hero-centered" aria-labelledby="product-title">
1.18	126	<div class="container hero-inner">
	127	<div class="hero-kicker">
1.2	128	<i class="fa fa-lock" aria-hidden="true"></i>
1.18	129	XWiki 2FA and MFA
1.2	130	</div>
	131
22.5	132	<h1 id="product-title">XWiki Two-Factor Authentication</h1>
1.2	133
22.5	134	<p class="lead">
22.6	135	Protect XWiki logins with authenticator app verification, recovery codes, trusted devices
	136	and administrator visibility.
22.5	137	</p>
1.2	138
22.5	139	<div class="hero-actions">
	140	<a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Ask about this extension</a>
	141	<a class="btn btn-secondary" href="$xwiki.getURL('products.WebHome')">View all products</a>
	142	</div>
1.18	143	</div>
	144	</section>
	145
	146	<section aria-labelledby="overview-title">
	147	<div class="container">
	148	<div class="product-layout">
	149	<article class="product-summary-card">
22.6	150	<h2 id="overview-title">MFA protection built for XWiki</h2>
1.18	151
22.5	152	<p>
22.6	153	XWiki Two-Factor Authentication adds a second verification step to the standard XWiki login flow.
	154	Users continue to sign in with their normal username and password, then confirm access with a
	155	time-based code generated by an authenticator application.
22.5	156	</p>
1.18	157
22.5	158	<p>
22.6	159	The extension is designed for organizations that use XWiki to manage internal documentation,
	160	procedures, knowledge bases, customer portals or other private collaboration spaces where
	161	stronger account protection is needed.
22.5	162	</p>
	163	</article>
1.18	164
22.5	165	<aside class="product-info-card" aria-labelledby="quick-facts-title">
	166	<h3 id="quick-facts-title">Quick facts</h3>
	167	<ul>
	168	<li>Works with the standard XWiki login flow</li>
22.6	169	<li>Uses TOTP authenticator applications</li>
22.5	170	<li>Can require MFA for all users</li>
	171	<li>Includes one-time recovery codes</li>
22.6	172	<li>Supports trusted browsers or devices</li>
22.5	173	<li>Includes user self-service controls</li>
22.6	174	<li>Includes administration monitoring</li>
22.5	175	</ul>
	176	</aside>
	177	</div>
1.18	178	</div>
	179	</section>
	180
22.6	181	<section class="product-section-muted" aria-labelledby="business-value-title">
1.18	182	<div class="container">
22.6	183	<h2 id="business-value-title">Business value</h2>
1.18	184
22.5	185	<p class="section-intro">
22.6	186	The extension helps organizations strengthen XWiki access protection without making login and account recovery unnecessarily complex.
22.5	187	</p>
1.18	188
22.5	189	<div class="product-feature-grid">
22.6	190	#foreach ($entry in $businessValueItems)
22.5	191	<article class="product-feature">
	192	<div class="card-heading">
	193	<div class="feature-icon">
	194	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	195	</div>
	196	<h3>$entry.title</h3>
	197	</div>
6.7	198
22.5	199	<p>$entry.content</p>
	200	</article>
	201	#end
	202	</div>
10.1	203	</div>
	204	</section>
	205
22.6	206	<section aria-labelledby="admin-control-title">
10.1	207	<div class="container">
22.6	208	<h2 id="admin-control-title">Administrator control</h2>
10.1	209
22.6	210	<p class="section-intro">
	211	Administrators configure the MFA policy directly from the XWiki Administration section, without editing configuration files for day-to-day policy changes.
	212	</p>
1.18	213
22.6	214	<div class="product-feature-grid">
	215	#foreach ($entry in $adminControlItems)
	216	<article class="product-feature">
	217	<div class="card-heading">
	218	<div class="feature-icon">
	219	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	220	</div>
	221	<h3>$entry.title</h3>
	222	</div>
8.1	223
22.6	224	<p>$entry.content</p>
	225	</article>
	226	#end
22.5	227	</div>
22.6	228
	229	{{/html}}
	230
	231	{{gallery}}
	232	[[image:mfa-admin-configuration.png]]
	233	{{/gallery}}
	234
	235	{{html clean="false"}}
	236
	237	<p class="product-gallery-caption">
	238	Administration configuration for requiring MFA, setting the authenticator issuer name, recovery-code count and trusted-device duration.
	239	</p>
10.1	240	</div>
	241	</section>
	242
22.6	243	<section class="product-section-muted" aria-labelledby="admin-visibility-title">
10.1	244	<div class="container">
22.6	245	<h2 id="admin-visibility-title">Administration overview and monitoring</h2>
10.1	246
22.5	247	<p class="section-intro">
22.6	248	The administration overview helps teams understand MFA adoption and identify users who still need to complete setup or maintain recovery options.
22.5	249	</p>
10.1	250
22.5	251	<div class="product-feature-grid">
22.6	252	#foreach ($entry in $adminVisibilityItems)
22.5	253	<article class="product-feature">
	254	<div class="card-heading">
	255	<div class="feature-icon">
	256	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	257	</div>
	258	<h3>$entry.title</h3>
	259	</div>
1.18	260
22.5	261	<p>$entry.content</p>
	262	</article>
	263	#end
	264	</div>
10.1	265
	266	{{/html}}
	267
	268	{{gallery}}
	269	[[image:mfa-admin-overview.png]]
17.2	270	[[image:mfa-admin-full.png]]
10.1	271	{{/gallery}}
	272
	273	{{html clean="false"}}
	274
22.5	275	<p class="product-gallery-caption">
22.6	276	MFA adoption indicators and a filterable user overview for administrators.
22.5	277	</p>
7.2	278	</div>
	279	</section>
	280
22.6	281	<section aria-labelledby="user-adoption-title">
6.11	282	<div class="container">
22.6	283	<h2 id="user-adoption-title">User setup and adoption</h2>
10.1	284
22.5	285	<p class="section-intro">
22.6	286	Users can configure MFA themselves by scanning a QR code or entering the setup information manually in their authenticator application.
22.5	287	</p>
10.1	288
22.5	289	<div class="product-feature-grid">
22.6	290	#foreach ($entry in $userAdoptionItems)
22.5	291	<article class="product-feature">
	292	<div class="card-heading">
	293	<div class="feature-icon">
	294	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	295	</div>
	296	<h3>$entry.title</h3>
	297	</div>
10.1	298
22.5	299	<p>$entry.content</p>
	300	</article>
	301	#end
	302	</div>
10.1	303
	304	{{/html}}
	305
	306	{{gallery}}
	307	[[image:mfa-user-setup-qr.png]]
15.2	308	[[image:mfa-login-verification-setup.png]]
22.6	309	{{/gallery}}
	310
	311	{{html clean="false"}}
	312
	313	<p class="product-gallery-caption">
	314	Profile-based setup and enforced setup during login when MFA is required.
	315	</p>
	316	</div>
	317	</section>
	318
	319	<section class="product-section-muted" aria-labelledby="login-protection-title">
	320	<div class="container">
	321	<h2 id="login-protection-title">Login protection</h2>
	322
	323	<p class="section-intro">
	324	After MFA is configured, XWiki asks for a verification code after the normal username and password step.
	325	</p>
	326
	327	<div class="product-feature-grid">
	328	#foreach ($entry in $loginProtectionItems)
	329	<article class="product-feature">
	330	<div class="card-heading">
	331	<div class="feature-icon">
	332	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	333	</div>
	334	<h3>$entry.title</h3>
	335	</div>
	336
	337	<p>$entry.content</p>
	338	</article>
	339	#end
	340	</div>
	341
	342	{{/html}}
	343
	344	{{gallery}}
15.2	345	[[image:mfa-login-verification-code.png]]
10.1	346	{{/gallery}}
	347
	348	{{html clean="false"}}
	349
22.5	350	<p class="product-gallery-caption">
22.6	351	Verification screen displayed after the standard XWiki username and password login.
22.5	352	</p>
10.1	353	</div>
	354	</section>
	355
22.6	356	<section aria-labelledby="continuity-title">
10.1	357	<div class="container">
22.6	358	<h2 id="continuity-title">Recovery codes and trusted devices</h2>
10.1	359
22.5	360	<p class="section-intro">
22.6	361	Recovery codes and trusted devices help balance stronger access protection with practical day-to-day usability.
22.5	362	</p>
10.1	363
22.5	364	<div class="product-feature-grid">
22.6	365	#foreach ($entry in $continuityItems)
22.5	366	<article class="product-feature">
	367	<div class="card-heading">
	368	<div class="feature-icon">
	369	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	370	</div>
	371	<h3>$entry.title</h3>
	372	</div>
10.1	373
22.5	374	<p>$entry.content</p>
	375	</article>
	376	#end
	377	</div>
10.1	378
	379	{{/html}}
	380
	381	{{gallery}}
22.2	382	[[image:mfa-recovery-codes-not-generated.png]]
	383	[[image:mfa-recovery-codes-generated.png]]
10.1	384	[[image:mfa-trusted-devices.png]]
22.6	385	[[image:mfa-user-profile-overview.png]]
22.2	386	[[image:mfa-user-profile-full.png]]
10.1	387	{{/gallery}}
	388
	389	{{html clean="false"}}
	390
22.5	391	<p class="product-gallery-caption">
22.6	392	User profile screens for recovery-code generation, trusted-device review and MFA self-service management.
22.5	393	</p>
10.1	394	</div>
	395	</section>
	396
22.3	397	<section class="product-section-muted" aria-labelledby="admin-support-title">
10.1	398	<div class="container">
22.3	399	<h2 id="admin-support-title">Administrator support and user recovery</h2>
	400
22.5	401	<p class="section-intro">
	402	Administrators can help users recover from lost devices or restart MFA setup when needed.
	403	</p>
22.3	404
22.5	405	<div class="product-feature-grid">
	406	#foreach ($entry in $adminSupportItems)
	407	<article class="product-feature">
	408	<div class="card-heading">
	409	<div class="feature-icon">
	410	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	411	</div>
	412	<h3>$entry.title</h3>
	413	</div>
22.3	414
22.5	415	<p>$entry.content</p>
	416	</article>
	417	#end
	418	</div>
22.3	419
	420	{{/html}}
	421
	422	{{gallery}}
	423	[[image:mfa-admin-user-management.png]]
	424	{{/gallery}}
	425
	426	{{html clean="false"}}
	427
22.5	428	<p class="product-gallery-caption">
	429	Administrator view for checking and resetting a user MFA setup.
	430	</p>
22.3	431	</div>
	432	</section>
	433
	434	<section aria-labelledby="rollout-title">
	435	<div class="container">
8.1	436	<div class="product-layout">
	437	<article class="product-summary-card">
10.1	438	<h2 id="rollout-title">Rollout recommendations</h2>
6.11	439
22.5	440	<p>
	441	For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
	442	This helps validate the configuration, prepare user communication and reduce support issues.
	443	</p>
6.11	444
22.5	445	<ol class="process-list">
	446	#foreach ($entry in $rolloutItems)
	447	<li>
	448	<strong>$entry.title</strong>
	449	$entry.content
	450	</li>
	451	#end
	452	</ol>
	453	</article>
6.11	454
22.5	455	<aside class="product-info-card" aria-labelledby="planning-title">
	456	<h3 id="planning-title">Useful information before installation</h3>
10.1	457
22.5	458	<p class="product-card-note">
	459	These details help evaluate compatibility, rollout scope and configuration options.
	460	</p>
8.1	461
22.5	462	<ul>
	463	<li>XWiki version</li>
	464	<li>Single wiki or wiki farm with subwikis</li>
	465	<li>Current authentication setup</li>
	466	<li>Optional or globally required MFA policy</li>
	467	<li>Trusted-device policy</li>
	468	<li>Recovery-code policy</li>
	469	<li>Rollout communication needs</li>
	470	</ul>
	471	</aside>
	472	</div>
7.2	473	</div>
	474	</section>
	475
1.18	476	<section class="cta-section" aria-labelledby="cta-title">
	477	<div class="container">
	478	<div class="cta-panel">
	479	<h2 id="cta-title">Interested in using this extension?</h2>
10.1	480
22.5	481	<p>
	482	Send a short message with your XWiki version, current authentication setup and MFA rollout goal.
	483	</p>
10.1	484
22.5	485	<a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
	486	</div>
1.18	487	</div>
	488	</section>
	489
	490	{{/html}}
	491	{{/velocity}}