Wiki source code of XWiki Two-Factor Authentication

Version 23.8 by Agnease on 2026/06/24 15:55

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Siblings
- Content
- Comments
- Attachments (12)
- History
- Information
- Likes

version	line-number	content
1.18	1	{{velocity}}
	2	#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
	3	#set ($discard = $xwiki.ssx.use('products.WebHome'))
10.1	4
23.1	5	#set ($mainCapabilityItems = [{
	6	'title': 'Second verification step',
	7	'icon': 'key',
	8	'content': 'Add an additional verification screen after the normal XWiki username and password login.'
10.1	9	},{
23.1	10	'title': 'Authenticator app codes',
	11	'icon': 'mobile',
	12	'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
10.1	13	},{
23.1	14	'title': 'Recovery and trusted devices',
	15	'icon': 'shield',
	16	'content': 'Provide backup access with recovery codes and reduce repeated prompts on trusted browsers.'
10.1	17	}])
	18
23.1	19	#set ($adminExperienceItems = [{
	20	'title': 'MFA policy',
22.5	21	'icon': 'cog',
23.1	22	'content': 'Make MFA optional or required for all users from the XWiki Administration section.'
10.1	23	},{
23.1	24	'title': 'Configuration options',
	25	'icon': 'sliders',
	26	'content': 'Set the authenticator issuer name, recovery-code count and trusted-device duration.'
10.1	27	},{
23.1	28	'title': 'Administration overview',
22.5	29	'icon': 'table',
23.1	30	'content': 'Review MFA adoption with summary indicators and a filterable Live Data table.'
10.1	31	}])
	32
23.1	33	#set ($userExperienceItems = [{
22.5	34	'title': 'Self-service setup',
	35	'icon': 'qrcode',
23.1	36	'content': 'Users configure MFA from their profile by scanning a QR code or entering the setup key manually.'
10.1	37	},{
23.1	38	'title': 'Login verification',
	39	'icon': 'sign-in',
	40	'content': 'After the normal login, users enter the code generated by their authenticator app.'
10.1	41	},{
22.5	42	'title': 'Trusted browser option',
	43	'icon': 'desktop',
	44	'content': 'Users can trust the current browser for the configured duration after successful verification.'
10.1	45	}])
	46
23.1	47	#set ($selfServiceItems = [{
	48	'title': 'Recovery codes',
22.5	49	'icon': 'life-ring',
23.1	50	'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
10.1	51	},{
23.1	52	'title': 'Trusted devices',
	53	'icon': 'desktop',
	54	'content': 'Trusted devices can be reviewed and removed from the user profile.'
22.6	55	},{
23.1	56	'title': 'Profile management',
	57	'icon': 'user',
	58	'content': 'Users can review MFA status, generate recovery codes, manage trusted devices and reset MFA.'
10.1	59	}])
	60
22.3	61	#set ($adminSupportItems = [{
22.5	62	'title': 'User MFA status',
	63	'icon': 'user',
23.1	64	'content': 'Administrators can open a user profile and check the MFA status for that account.'
22.3	65	},{
23.1	66	'title': 'MFA reset',
22.5	67	'icon': 'refresh',
23.1	68	'content': 'Administrators can reset MFA when a user needs to restart the configuration process.'
22.3	69	},{
23.1	70	'title': 'Controlled recovery',
	71	'icon': 'unlock-alt',
22.5	72	'content': 'Resetting MFA removes the authenticator setup, recovery codes and trusted devices for that user.'
22.3	73	}])
	74
10.1	75	#set ($rolloutItems = [{
22.5	76	'title': 'Start with a pilot group',
	77	'content': 'Test the extension with administrators or a small user group before enabling it widely.'
10.1	78	},{
22.5	79	'title': 'Define the MFA policy',
	80	'content': 'Decide whether MFA should be optional at first or required for all users.'
10.1	81	},{
22.5	82	'title': 'Configure recovery options',
	83	'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
10.1	84	},{
23.1	85	'title': 'Inform users',
22.5	86	'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
10.1	87	},{
22.5	88	'title': 'Monitor adoption',
	89	'content': 'Use the administration overview to identify users who still need to configure MFA.'
10.1	90	}])
	91
1.18	92	{{html clean="false"}}
1.2	93
10.1	94	<section class="hero hero-centered" aria-labelledby="product-title">
1.18	95	<div class="container hero-inner">
	96	<div class="hero-kicker">
1.2	97	<i class="fa fa-lock" aria-hidden="true"></i>
1.18	98	XWiki 2FA and MFA
1.2	99	</div>
	100
23.6	101	<h1 id="product-title">XWiki Two-Factor Authentication (2FA/MFA)</h1>
1.2	102
22.5	103	<p class="lead">
23.1	104	Protect XWiki logins with a second verification step using authenticator app codes,
	105	recovery codes and trusted devices.
22.5	106	</p>
1.2	107
22.5	108	<div class="hero-actions">
	109	<a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Ask about this extension</a>
	110	<a class="btn btn-secondary" href="$xwiki.getURL('products.WebHome')">View all products</a>
	111	</div>
1.18	112	</div>
	113	</section>
	114
	115	<section aria-labelledby="overview-title">
	116	<div class="container">
	117	<div class="product-layout">
	118	<article class="product-summary-card">
23.1	119	<h2 id="overview-title">Two-factor authentication built into XWiki</h2>
1.18	120
22.5	121	<p>
23.1	122	XWiki Two-Factor Authentication adds MFA support to the standard XWiki login flow.
	123	Users continue to sign in with their normal username and password, then confirm access
	124	with a time-based verification code from an authenticator application.
22.5	125	</p>
1.18	126
22.5	127	<p>
23.1	128	The extension is designed for organizations that want stronger access protection for
	129	internal knowledge bases, intranets, documentation platforms, customer portals and other
	130	XWiki-based applications.
22.5	131	</p>
	132	</article>
1.18	133
22.5	134	<aside class="product-info-card" aria-labelledby="quick-facts-title">
	135	<h3 id="quick-facts-title">Quick facts</h3>
	136	<ul>
	137	<li>Works with the standard XWiki login flow</li>
23.1	138	<li>Supports TOTP authenticator applications</li>
22.5	139	<li>Can require MFA for all users</li>
	140	<li>Includes one-time recovery codes</li>
23.1	141	<li>Can remember trusted browsers or devices</li>
22.5	142	<li>Includes user self-service controls</li>
23.1	143	<li>Includes an administration overview</li>
22.5	144	</ul>
	145	</aside>
	146	</div>
1.18	147	</div>
	148	</section>
	149
23.1	150	<section aria-labelledby="capabilities-title">
1.18	151	<div class="container">
23.1	152	<h2 id="capabilities-title">Main capabilities</h2>
1.18	153
22.5	154	<p class="section-intro">
23.1	155	A focused set of MFA features for stronger XWiki account protection without replacing the familiar login experience.
22.5	156	</p>
1.18	157
22.5	158	<div class="product-feature-grid">
23.1	159	#foreach ($entry in $mainCapabilityItems)
22.5	160	<article class="product-feature">
	161	<div class="card-heading">
	162	<div class="feature-icon">
	163	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	164	</div>
	165	<h3>$entry.title</h3>
	166	</div>
6.7	167
22.5	168	<p>$entry.content</p>
	169	</article>
	170	#end
	171	</div>
10.1	172	</div>
	173	</section>
	174
23.1	175	<section class="product-section-muted" aria-labelledby="security-title">
10.1	176	<div class="container">
23.1	177	<div class="product-layout">
	178	<article class="product-summary-card">
	179	<h2 id="security-title">Useful for XWiki security and access protection</h2>
10.1	180
23.1	181	<p>
	182	Many organizations use XWiki to store internal documentation, procedures, operational
	183	knowledge and business-critical information. Adding a second authentication factor helps
	184	reduce the risk of account compromise when a password is exposed or reused.
	185	</p>
1.18	186
23.1	187	<p>
	188	The extension is especially useful for protecting administrator accounts, remote users,
	189	private knowledge bases and customer or partner portals.
	190	</p>
	191	</article>
8.1	192
23.1	193	<aside class="product-info-card" aria-labelledby="use-cases-title">
	194	<h3 id="use-cases-title">Typical use cases</h3>
	195	<ul>
	196	<li>Administrator account protection</li>
	197	<li>Internal knowledge base security</li>
	198	<li>Private documentation platforms</li>
	199	<li>Remote user access protection</li>
	200	<li>Customer or partner portals</li>
23.4	201	<li>Security review, MFA rollout and compliance readiness</li>
23.1	202	</ul>
	203	</aside>
22.5	204	</div>
10.1	205	</div>
	206	</section>
	207
23.1	208	<section aria-labelledby="admin-experience-title">
10.1	209	<div class="container">
23.1	210	<h2 id="admin-experience-title">Administrator configuration and monitoring</h2>
10.1	211
22.5	212	<p class="section-intro">
23.1	213	Administrators can configure the MFA policy, define recovery options and monitor adoption from the XWiki Administration section.
22.5	214	</p>
10.1	215
22.5	216	<div class="product-feature-grid">
23.1	217	#foreach ($entry in $adminExperienceItems)
22.5	218	<article class="product-feature">
	219	<div class="card-heading">
	220	<div class="feature-icon">
	221	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	222	</div>
	223	<h3>$entry.title</h3>
	224	</div>
1.18	225
22.5	226	<p>$entry.content</p>
	227	</article>
	228	#end
	229	</div>
10.1	230
	231	{{/html}}
	232
	233	{{gallery}}
23.1	234	[[image:mfa-admin-configuration.png]]
10.1	235	[[image:mfa-admin-overview.png]]
17.2	236	[[image:mfa-admin-full.png]]
10.1	237	{{/gallery}}
	238
	239	{{html clean="false"}}
	240
22.5	241	<p class="product-gallery-caption">
23.1	242	Administration screens for configuring MFA and reviewing MFA adoption across users.
22.5	243	</p>
7.2	244	</div>
	245	</section>
	246
23.1	247	<section class="product-section-muted" aria-labelledby="user-experience-title">
6.11	248	<div class="container">
23.1	249	<h2 id="user-experience-title">User setup and login verification</h2>
10.1	250
22.5	251	<p class="section-intro">
23.1	252	Users can configure MFA from their profile or during the enforced setup flow, then verify future logins with their authenticator app.
22.5	253	</p>
10.1	254
22.5	255	<div class="product-feature-grid">
23.1	256	#foreach ($entry in $userExperienceItems)
22.5	257	<article class="product-feature">
	258	<div class="card-heading">
	259	<div class="feature-icon">
	260	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	261	</div>
	262	<h3>$entry.title</h3>
	263	</div>
10.1	264
22.5	265	<p>$entry.content</p>
	266	</article>
	267	#end
	268	</div>
10.1	269
	270	{{/html}}
	271
	272	{{gallery}}
	273	[[image:mfa-user-setup-qr.png]]
15.2	274	[[image:mfa-login-verification-setup.png]]
	275	[[image:mfa-login-verification-code.png]]
10.1	276	{{/gallery}}
	277
	278	{{html clean="false"}}
	279
22.5	280	<p class="product-gallery-caption">
23.1	281	User setup, enforced MFA configuration and login verification screens.
22.5	282	</p>
10.1	283	</div>
	284	</section>
	285
23.1	286	<section aria-labelledby="self-service-title">
10.1	287	<div class="container">
23.1	288	<h2 id="self-service-title">Recovery codes and trusted devices</h2>
10.1	289
22.5	290	<p class="section-intro">
23.1	291	Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
22.5	292	</p>
10.1	293
22.5	294	<div class="product-feature-grid">
23.1	295	#foreach ($entry in $selfServiceItems)
22.5	296	<article class="product-feature">
	297	<div class="card-heading">
	298	<div class="feature-icon">
	299	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	300	</div>
	301	<h3>$entry.title</h3>
	302	</div>
10.1	303
22.5	304	<p>$entry.content</p>
	305	</article>
	306	#end
	307	</div>
10.1	308
	309	{{/html}}
	310
	311	{{gallery}}
23.1	312	[[image:mfa-user-profile-overview.png]]
22.2	313	[[image:mfa-recovery-codes-not-generated.png]]
	314	[[image:mfa-recovery-codes-generated.png]]
10.1	315	[[image:mfa-trusted-devices.png]]
22.2	316	[[image:mfa-user-profile-full.png]]
10.1	317	{{/gallery}}
	318
	319	{{html clean="false"}}
	320
22.5	321	<p class="product-gallery-caption">
23.1	322	User profile screens for recovery codes, trusted devices and MFA self-service management.
22.5	323	</p>
10.1	324	</div>
	325	</section>
	326
22.3	327	<section class="product-section-muted" aria-labelledby="admin-support-title">
10.1	328	<div class="container">
22.3	329	<h2 id="admin-support-title">Administrator support and user recovery</h2>
	330
22.5	331	<p class="section-intro">
	332	Administrators can help users recover from lost devices or restart MFA setup when needed.
	333	</p>
22.3	334
22.5	335	<div class="product-feature-grid">
	336	#foreach ($entry in $adminSupportItems)
	337	<article class="product-feature">
	338	<div class="card-heading">
	339	<div class="feature-icon">
	340	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	341	</div>
	342	<h3>$entry.title</h3>
	343	</div>
22.3	344
22.5	345	<p>$entry.content</p>
	346	</article>
	347	#end
	348	</div>
22.3	349
	350	{{/html}}
	351
	352	{{gallery}}
	353	[[image:mfa-admin-user-management.png]]
	354	{{/gallery}}
	355
	356	{{html clean="false"}}
	357
22.5	358	<p class="product-gallery-caption">
	359	Administrator view for checking and resetting a user MFA setup.
	360	</p>
22.3	361	</div>
	362	</section>
	363
	364	<section aria-labelledby="rollout-title">
	365	<div class="container">
8.1	366	<div class="product-layout">
	367	<article class="product-summary-card">
10.1	368	<h2 id="rollout-title">Rollout recommendations</h2>
6.11	369
22.5	370	<p>
	371	For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
	372	This helps validate the configuration, prepare user communication and reduce support issues.
	373	</p>
6.11	374
22.5	375	<ol class="process-list">
	376	#foreach ($entry in $rolloutItems)
	377	<li>
	378	<strong>$entry.title</strong>
	379	$entry.content
	380	</li>
	381	#end
	382	</ol>
	383	</article>
6.11	384
22.5	385	<aside class="product-info-card" aria-labelledby="planning-title">
	386	<h3 id="planning-title">Useful information before installation</h3>
10.1	387
22.5	388	<p class="product-card-note">
	389	These details help evaluate compatibility, rollout scope and configuration options.
	390	</p>
8.1	391
22.5	392	<ul>
	393	<li>XWiki version</li>
	394	<li>Single wiki or wiki farm with subwikis</li>
	395	<li>Current authentication setup</li>
	396	<li>Optional or globally required MFA policy</li>
	397	<li>Trusted-device policy</li>
	398	<li>Recovery-code policy</li>
	399	<li>Rollout communication needs</li>
	400	</ul>
	401	</aside>
	402	</div>
7.2	403	</div>
	404	</section>
	405
1.18	406	<section class="cta-section" aria-labelledby="cta-title">
	407	<div class="container">
	408	<div class="cta-panel">
	409	<h2 id="cta-title">Interested in using this extension?</h2>
10.1	410
22.5	411	<p>
	412	Send a short message with your XWiki version, current authentication setup and MFA rollout goal.
	413	</p>
10.1	414
22.5	415	<a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
	416	</div>
1.18	417	</div>
	418	</section>
	419
	420	{{/html}}
	421	{{/velocity}}