Skip to Content
Version 22.6 by Agnease on 2026/06/24 15:24
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 #set ($discard = $xwiki.ssx.use('products.WebHome'))
4
5 #set ($businessValueItems = [{
6 'title': 'Reduce account compromise risk',
7 'icon': 'shield',
8 'content': 'Add a second verification step after password login to better protect private XWiki content and administrator accounts.'
9 },{
10 'title': 'Keep the standard XWiki experience',
11 'icon': 'sign-in',
12 'content': 'Extend the familiar XWiki login flow instead of replacing it with a completely different authentication experience.'
13 },{
14 'title': 'Support a controlled rollout',
15 'icon': 'tasks',
16 'content': 'Start with optional MFA, then require MFA for all users when the organization is ready.'
17 }])
18
19 #set ($adminControlItems = [{
20 'title': 'Global MFA policy',
21 'icon': 'cog',
22 'content': 'Administrators can decide whether MFA is optional or required for all users.'
23 },{
24 'title': 'Recovery policy',
25 'icon': 'life-ring',
26 'content': 'Configure how many one-time recovery codes are generated for each user, or disable recovery codes if needed.'
27 },{
28 'title': 'Trusted-device policy',
29 'icon': 'desktop',
30 'content': 'Configure how long a trusted browser remains valid, or disable trusted devices for stricter environments.'
31 }])
32
33 #set ($adminVisibilityItems = [{
34 'title': 'MFA adoption overview',
35 'icon': 'bar-chart',
36 'content': 'Review how many users are scanned, how many have MFA configured, and how many still need attention.'
37 },{
38 'title': 'Filterable user table',
39 'icon': 'table',
40 'content': 'Use the Live Data table to review configured users, recovery-code status and trusted-device usage.'
41 },{
42 'title': 'Operational monitoring',
43 'icon': 'search',
44 'content': 'Identify accounts with missing recovery codes or trusted devices from the administration area.'
45 }])
46
47 #set ($userAdoptionItems = [{
48 'title': 'Self-service setup',
49 'icon': 'qrcode',
50 'content': 'Users can configure MFA by scanning a QR code with their authenticator application.'
51 },{
52 'title': 'Manual setup details',
53 'icon': 'keyboard-o',
54 'content': 'Users can also enter the account name and secret key manually if they cannot scan the QR code.'
55 },{
56 'title': 'Enforced setup flow',
57 'icon': 'lock',
58 'content': 'When MFA is required, users are guided to complete setup before continuing.'
59 }])
60
61 #set ($loginProtectionItems = [{
62 'title': 'Second login step',
63 'icon': 'key',
64 'content': 'After the normal username and password login, users enter the verification code from their authenticator app.'
65 },{
66 'title': 'Backup login option',
67 'icon': 'unlock-alt',
68 'content': 'If recovery codes are enabled, users can use a recovery code when they lose access to the authenticator app.'
69 },{
70 'title': 'Trusted browser option',
71 'icon': 'desktop',
72 'content': 'Users can trust the current browser for the configured duration after successful verification.'
73 }])
74
75 #set ($continuityItems = [{
76 'title': 'One-time recovery codes',
77 'icon': 'life-ring',
78 'content': 'Recovery codes help users regain access if they lose their authenticator device.'
79 },{
80 'icon': 'life-ring',
81 'content': 'Recovery codes help users regain access if they lose their authenticator device.'
82 },{
83 'title': 'Codes shown once',
84 'icon': 'eye-slash',
85 'content': 'Recovery codes are displayed only once and each code can be used a single time.'
86 },{
87 'title': 'Trusted-device management',
88 'icon': 'desktop',
89 'content': 'Users can review trusted devices, identify the current browser and remove devices they no longer use.'
90 }])
91
92 #set ($adminSupportItems = [{
93 'title': 'User MFA status',
94 'icon': 'user',
95 'content': 'Administrators can open a user profile and check whether MFA is configured for that account.'
96 },{
97 'title': 'Helpdesk recovery',
98 'icon': 'refresh',
99 'content': 'Administrators can reset MFA when a user loses access to the authenticator app or needs to restart setup.'
100 },{
101 'title': 'Clean reset',
102 'icon': 'trash',
103 'content': 'Resetting MFA removes the authenticator setup, recovery codes and trusted devices for that user.'
104 }])
105
106 #set ($rolloutItems = [{
107 'title': 'Start with a pilot group',
108 'content': 'Test the extension with administrators or a small user group before enabling it widely.'
109 },{
110 'title': 'Define the MFA policy',
111 'content': 'Decide whether MFA should be optional at first or required for all users.'
112 },{
113 'title': 'Configure recovery options',
114 'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
115 },{
116 'title': 'Prepare user communication',
117 'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
118 },{
119 'title': 'Monitor adoption',
120 'content': 'Use the administration overview to identify users who still need to configure MFA.'
121 }])
122
123 {{html clean="false"}}
124
125 <section class="hero hero-centered" aria-labelledby="product-title">
126 <div class="container hero-inner">
127 <div class="hero-kicker">
128 <i class="fa fa-lock" aria-hidden="true"></i>
129 XWiki 2FA and MFA
130 </div>
131
132 <h1 id="product-title">XWiki Two-Factor Authentication</h1>
133
134 <p class="lead">
135 Protect XWiki logins with authenticator app verification, recovery codes, trusted devices
136 and administrator visibility.
137 </p>
138
139 <div class="hero-actions">
140 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Ask about this extension</a>
141 <a class="btn btn-secondary" href="$xwiki.getURL('products.WebHome')">View all products</a>
142 </div>
143 </div>
144 </section>
145
146 <section aria-labelledby="overview-title">
147 <div class="container">
148 <div class="product-layout">
149 <article class="product-summary-card">
150 <h2 id="overview-title">MFA protection built for XWiki</h2>
151
152 <p>
153 XWiki Two-Factor Authentication adds a second verification step to the standard XWiki login flow.
154 Users continue to sign in with their normal username and password, then confirm access with a
155 time-based code generated by an authenticator application.
156 </p>
157
158 <p>
159 The extension is designed for organizations that use XWiki to manage internal documentation,
160 procedures, knowledge bases, customer portals or other private collaboration spaces where
161 stronger account protection is needed.
162 </p>
163 </article>
164
165 <aside class="product-info-card" aria-labelledby="quick-facts-title">
166 <h3 id="quick-facts-title">Quick facts</h3>
167 <ul>
168 <li>Works with the standard XWiki login flow</li>
169 <li>Uses TOTP authenticator applications</li>
170 <li>Can require MFA for all users</li>
171 <li>Includes one-time recovery codes</li>
172 <li>Supports trusted browsers or devices</li>
173 <li>Includes user self-service controls</li>
174 <li>Includes administration monitoring</li>
175 </ul>
176 </aside>
177 </div>
178 </div>
179 </section>
180
181 <section class="product-section-muted" aria-labelledby="business-value-title">
182 <div class="container">
183 <h2 id="business-value-title">Business value</h2>
184
185 <p class="section-intro">
186 The extension helps organizations strengthen XWiki access protection without making login and account recovery unnecessarily complex.
187 </p>
188
189 <div class="product-feature-grid">
190 #foreach ($entry in $businessValueItems)
191 <article class="product-feature">
192 <div class="card-heading">
193 <div class="feature-icon">
194 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
195 </div>
196 <h3>$entry.title</h3>
197 </div>
198
199 <p>$entry.content</p>
200 </article>
201 #end
202 </div>
203 </div>
204 </section>
205
206 <section aria-labelledby="admin-control-title">
207 <div class="container">
208 <h2 id="admin-control-title">Administrator control</h2>
209
210 <p class="section-intro">
211 Administrators configure the MFA policy directly from the XWiki Administration section, without editing configuration files for day-to-day policy changes.
212 </p>
213
214 <div class="product-feature-grid">
215 #foreach ($entry in $adminControlItems)
216 <article class="product-feature">
217 <div class="card-heading">
218 <div class="feature-icon">
219 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
220 </div>
221 <h3>$entry.title</h3>
222 </div>
223
224 <p>$entry.content</p>
225 </article>
226 #end
227 </div>
228
229 {{/html}}
230
231 {{gallery}}
232 [[image:mfa-admin-configuration.png]]
233 {{/gallery}}
234
235 {{html clean="false"}}
236
237 <p class="product-gallery-caption">
238 Administration configuration for requiring MFA, setting the authenticator issuer name, recovery-code count and trusted-device duration.
239 </p>
240 </div>
241 </section>
242
243 <section class="product-section-muted" aria-labelledby="admin-visibility-title">
244 <div class="container">
245 <h2 id="admin-visibility-title">Administration overview and monitoring</h2>
246
247 <p class="section-intro">
248 The administration overview helps teams understand MFA adoption and identify users who still need to complete setup or maintain recovery options.
249 </p>
250
251 <div class="product-feature-grid">
252 #foreach ($entry in $adminVisibilityItems)
253 <article class="product-feature">
254 <div class="card-heading">
255 <div class="feature-icon">
256 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
257 </div>
258 <h3>$entry.title</h3>
259 </div>
260
261 <p>$entry.content</p>
262 </article>
263 #end
264 </div>
265
266 {{/html}}
267
268 {{gallery}}
269 [[image:mfa-admin-overview.png]]
270 [[image:mfa-admin-full.png]]
271 {{/gallery}}
272
273 {{html clean="false"}}
274
275 <p class="product-gallery-caption">
276 MFA adoption indicators and a filterable user overview for administrators.
277 </p>
278 </div>
279 </section>
280
281 <section aria-labelledby="user-adoption-title">
282 <div class="container">
283 <h2 id="user-adoption-title">User setup and adoption</h2>
284
285 <p class="section-intro">
286 Users can configure MFA themselves by scanning a QR code or entering the setup information manually in their authenticator application.
287 </p>
288
289 <div class="product-feature-grid">
290 #foreach ($entry in $userAdoptionItems)
291 <article class="product-feature">
292 <div class="card-heading">
293 <div class="feature-icon">
294 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
295 </div>
296 <h3>$entry.title</h3>
297 </div>
298
299 <p>$entry.content</p>
300 </article>
301 #end
302 </div>
303
304 {{/html}}
305
306 {{gallery}}
307 [[image:mfa-user-setup-qr.png]]
308 [[image:mfa-login-verification-setup.png]]
309 {{/gallery}}
310
311 {{html clean="false"}}
312
313 <p class="product-gallery-caption">
314 Profile-based setup and enforced setup during login when MFA is required.
315 </p>
316 </div>
317 </section>
318
319 <section class="product-section-muted" aria-labelledby="login-protection-title">
320 <div class="container">
321 <h2 id="login-protection-title">Login protection</h2>
322
323 <p class="section-intro">
324 After MFA is configured, XWiki asks for a verification code after the normal username and password step.
325 </p>
326
327 <div class="product-feature-grid">
328 #foreach ($entry in $loginProtectionItems)
329 <article class="product-feature">
330 <div class="card-heading">
331 <div class="feature-icon">
332 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
333 </div>
334 <h3>$entry.title</h3>
335 </div>
336
337 <p>$entry.content</p>
338 </article>
339 #end
340 </div>
341
342 {{/html}}
343
344 {{gallery}}
345 [[image:mfa-login-verification-code.png]]
346 {{/gallery}}
347
348 {{html clean="false"}}
349
350 <p class="product-gallery-caption">
351 Verification screen displayed after the standard XWiki username and password login.
352 </p>
353 </div>
354 </section>
355
356 <section aria-labelledby="continuity-title">
357 <div class="container">
358 <h2 id="continuity-title">Recovery codes and trusted devices</h2>
359
360 <p class="section-intro">
361 Recovery codes and trusted devices help balance stronger access protection with practical day-to-day usability.
362 </p>
363
364 <div class="product-feature-grid">
365 #foreach ($entry in $continuityItems)
366 <article class="product-feature">
367 <div class="card-heading">
368 <div class="feature-icon">
369 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
370 </div>
371 <h3>$entry.title</h3>
372 </div>
373
374 <p>$entry.content</p>
375 </article>
376 #end
377 </div>
378
379 {{/html}}
380
381 {{gallery}}
382 [[image:mfa-recovery-codes-not-generated.png]]
383 [[image:mfa-recovery-codes-generated.png]]
384 [[image:mfa-trusted-devices.png]]
385 [[image:mfa-user-profile-overview.png]]
386 [[image:mfa-user-profile-full.png]]
387 {{/gallery}}
388
389 {{html clean="false"}}
390
391 <p class="product-gallery-caption">
392 User profile screens for recovery-code generation, trusted-device review and MFA self-service management.
393 </p>
394 </div>
395 </section>
396
397 <section class="product-section-muted" aria-labelledby="admin-support-title">
398 <div class="container">
399 <h2 id="admin-support-title">Administrator support and user recovery</h2>
400
401 <p class="section-intro">
402 Administrators can help users recover from lost devices or restart MFA setup when needed.
403 </p>
404
405 <div class="product-feature-grid">
406 #foreach ($entry in $adminSupportItems)
407 <article class="product-feature">
408 <div class="card-heading">
409 <div class="feature-icon">
410 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
411 </div>
412 <h3>$entry.title</h3>
413 </div>
414
415 <p>$entry.content</p>
416 </article>
417 #end
418 </div>
419
420 {{/html}}
421
422 {{gallery}}
423 [[image:mfa-admin-user-management.png]]
424 {{/gallery}}
425
426 {{html clean="false"}}
427
428 <p class="product-gallery-caption">
429 Administrator view for checking and resetting a user MFA setup.
430 </p>
431 </div>
432 </section>
433
434 <section aria-labelledby="rollout-title">
435 <div class="container">
436 <div class="product-layout">
437 <article class="product-summary-card">
438 <h2 id="rollout-title">Rollout recommendations</h2>
439
440 <p>
441 For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
442 This helps validate the configuration, prepare user communication and reduce support issues.
443 </p>
444
445 <ol class="process-list">
446 #foreach ($entry in $rolloutItems)
447 <li>
448 <strong>$entry.title</strong>
449 $entry.content
450 </li>
451 #end
452 </ol>
453 </article>
454
455 <aside class="product-info-card" aria-labelledby="planning-title">
456 <h3 id="planning-title">Useful information before installation</h3>
457
458 <p class="product-card-note">
459 These details help evaluate compatibility, rollout scope and configuration options.
460 </p>
461
462 <ul>
463 <li>XWiki version</li>
464 <li>Single wiki or wiki farm with subwikis</li>
465 <li>Current authentication setup</li>
466 <li>Optional or globally required MFA policy</li>
467 <li>Trusted-device policy</li>
468 <li>Recovery-code policy</li>
469 <li>Rollout communication needs</li>
470 </ul>
471 </aside>
472 </div>
473 </div>
474 </section>
475
476 <section class="cta-section" aria-labelledby="cta-title">
477 <div class="container">
478 <div class="cta-panel">
479 <h2 id="cta-title">Interested in using this extension?</h2>
480
481 <p>
482 Send a short message with your XWiki version, current authentication setup and MFA rollout goal.
483 </p>
484
485 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
486 </div>
487 </div>
488 </section>
489
490 {{/html}}
491 {{/velocity}}