Skip to Content
Version 25.2 by Agnease on 2026/06/24 16:10
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3
4 #set ($mainCapabilityItems = [{
5 'title': 'Second verification step',
6 'icon': 'key',
7 'content': 'Add an additional verification screen after the normal XWiki username and password login.'
8 },{
9 'title': 'Authenticator app codes',
10 'icon': 'mobile',
11 'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
12 },{
13 'title': 'Recovery and trusted devices',
14 'icon': 'shield',
15 'content': 'Provide backup access with recovery codes and reduce repeated prompts on trusted browsers.'
16 }])
17
18 #set ($adminExperienceItems = [{
19 'title': 'Rollout policy',
20 'icon': 'cog',
21 'content': 'Make additional verification optional at first or required for all users from the XWiki Administration section.'
22 },{
23 'title': 'Configuration options',
24 'icon': 'sliders',
25 'content': 'Set the authenticator issuer name, recovery-code count and trusted-device duration.'
26 },{
27 'title': 'Administration overview',
28 'icon': 'table',
29 'content': 'Review adoption with summary indicators and a filterable Live Data table.'
30 }])
31
32 #set ($userExperienceItems = [{
33 'title': 'Self-service setup',
34 'icon': 'qrcode',
35 'content': 'Users configure the second verification step from their profile by scanning a QR code or entering the setup key manually.'
36 },{
37 'title': 'Login verification',
38 'icon': 'sign-in',
39 'content': 'After the normal login, users enter the verification code generated by their authenticator app.'
40 },{
41 'title': 'Trusted browser option',
42 'icon': 'desktop',
43 'content': 'Users can trust the current browser for the configured duration after successful verification.'
44 }])
45
46 #set ($selfServiceItems = [{
47 'title': 'Recovery codes',
48 'icon': 'life-ring',
49 'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
50 },{
51 'title': 'Trusted devices',
52 'icon': 'desktop',
53 'content': 'Trusted devices can be reviewed and removed from the user profile.'
54 },{
55 'title': 'Profile management',
56 'icon': 'user',
57 'content': 'Users can review status, generate recovery codes, manage trusted devices and reset their setup.'
58 }])
59
60 #set ($adminSupportItems = [{
61 'title': 'User status',
62 'icon': 'user',
63 'content': 'Administrators can open a user profile and check the verification status for that account.'
64 },{
65 'title': 'Setup reset',
66 'icon': 'refresh',
67 'content': 'Administrators can reset the setup when a user needs to restart the configuration process.'
68 },{
69 'title': 'Controlled recovery',
70 'icon': 'unlock-alt',
71 'content': 'Resetting the setup removes the authenticator configuration, recovery codes and trusted devices for that user.'
72 }])
73
74 #set ($rolloutItems = [{
75 'title': 'Start with a pilot group',
76 'content': 'Test the extension with administrators or a small user group before enabling it widely.'
77 },{
78 'title': 'Define the rollout policy',
79 'content': 'Decide whether additional verification should be optional at first or required for all users.'
80 },{
81 'title': 'Configure recovery options',
82 'content': 'Choose the number of recovery codes and whether trusted devices should be allowed.'
83 },{
84 'title': 'Inform users',
85 'content': 'Explain how users configure the authenticator app, save recovery codes and manage trusted devices.'
86 },{
87 'title': 'Monitor adoption',
88 'content': 'Use the administration overview to identify users who still need to configure protection.'
89 }])
90
91 {{html clean="false"}}
92
93 <section class="hero hero-centered" aria-labelledby="product-title">
94 <div class="container hero-inner">
95 <div class="hero-kicker">
96 <i class="fa fa-lock" aria-hidden="true"></i>
97 XWiki 2FA with MFA rollout support
98 </div>
99
100 <h1 id="product-title">XWiki Two-Factor Authentication</h1>
101
102 <p class="lead">
103 Protect XWiki logins with authenticator app verification, recovery codes,
104 trusted devices and administration controls for a safer rollout.
105 </p>
106
107 <div class="hero-actions">
108 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Ask about this extension</a>
109 <a class="btn btn-secondary" href="$xwiki.getURL('products.WebHome')">View all products</a>
110 </div>
111 </div>
112 </section>
113
114 <section aria-labelledby="overview-title">
115 <div class="container">
116 <div class="product-layout">
117 <article class="product-summary-card">
118 <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
119
120 <p>
121 XWiki Two-Factor Authentication adds an additional verification step to the standard
122 XWiki login flow. Users continue to sign in with their normal username and password,
123 then confirm access with a time-based code from an authenticator application.
124 </p>
125
126 <p>
127 The application has evolved beyond a simple login-code screen. It also supports
128 global enforcement, recovery codes, trusted devices, user self-service management,
129 administrator reset actions and an administration overview for monitoring adoption.
130 </p>
131 </article>
132
133 <aside class="product-info-card" aria-labelledby="quick-facts-title">
134 <h3 id="quick-facts-title">Quick facts</h3>
135 <ul>
136 <li>Works with the standard XWiki login flow</li>
137 <li>Supports TOTP authenticator applications</li>
138 <li>Can require additional verification for all users</li>
139 <li>Includes one-time recovery codes</li>
140 <li>Can remember trusted browsers or devices</li>
141 <li>Includes user self-service controls</li>
142 <li>Includes an administration overview</li>
143 </ul>
144 </aside>
145 </div>
146 </div>
147 </section>
148
149 <section aria-labelledby="capabilities-title">
150 <div class="container">
151 <h2 id="capabilities-title">Main capabilities</h2>
152
153 <p class="section-intro">
154 A focused set of authentication protection features for stronger XWiki account security
155 without replacing the familiar login experience.
156 </p>
157
158 <div class="product-feature-grid">
159 #foreach ($entry in $mainCapabilityItems)
160 <article class="product-feature">
161 <div class="card-heading">
162 <div class="feature-icon">
163 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
164 </div>
165 <h3>$entry.title</h3>
166 </div>
167
168 <p>$entry.content</p>
169 </article>
170 #end
171 </div>
172 </div>
173 </section>
174
175 <section class="product-section-muted" aria-labelledby="security-title">
176 <div class="container">
177 <div class="product-layout">
178 <article class="product-summary-card">
179 <h2 id="security-title">Useful for XWiki security and access protection</h2>
180
181 <p>
182 Many organizations use XWiki to store internal documentation, procedures, operational
183 knowledge and business-critical information. Adding an additional authentication factor helps
184 reduce the risk of account compromise when a password is exposed or reused.
185 </p>
186
187 <p>
188 The extension is especially useful for protecting administrator accounts, remote users,
189 private knowledge bases and customer or partner portals.
190 </p>
191 </article>
192
193 <aside class="product-info-card" aria-labelledby="use-cases-title">
194 <h3 id="use-cases-title">Typical use cases</h3>
195 <ul>
196 <li>Administrator account protection</li>
197 <li>Internal knowledge base security</li>
198 <li>Private documentation platforms</li>
199 <li>Remote user access protection</li>
200 <li>Customer or partner portals</li>
201 <li>Security review, MFA rollout and compliance readiness</li>
202 </ul>
203 </aside>
204 </div>
205 </div>
206 </section>
207
208 <section aria-labelledby="admin-experience-title">
209 <div class="container">
210 <h2 id="admin-experience-title">Administrator configuration and monitoring</h2>
211
212 <p class="section-intro">
213 Administrators can configure the policy, define recovery options and monitor adoption
214 from the XWiki Administration section.
215 </p>
216
217 <div class="product-feature-grid">
218 #foreach ($entry in $adminExperienceItems)
219 <article class="product-feature">
220 <div class="card-heading">
221 <div class="feature-icon">
222 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
223 </div>
224 <h3>$entry.title</h3>
225 </div>
226
227 <p>$entry.content</p>
228 </article>
229 #end
230 </div>
231
232 {{/html}}
233
234 {{gallery}}
235 [[image:mfa-admin-configuration.png]]
236 [[image:mfa-admin-overview.png]]
237 [[image:mfa-admin-full.png]]
238 {{/gallery}}
239
240 {{html clean="false"}}
241
242 <p class="product-gallery-caption">
243 Administration screens for configuring the policy and reviewing adoption across users.
244 </p>
245 </div>
246 </section>
247
248 <section class="product-section-muted" aria-labelledby="user-experience-title">
249 <div class="container">
250 <h2 id="user-experience-title">User setup and login verification</h2>
251
252 <p class="section-intro">
253 Users can configure the authenticator app from their profile or during the enforced setup flow,
254 then verify future logins with a generated code.
255 </p>
256
257 <div class="product-feature-grid">
258 #foreach ($entry in $userExperienceItems)
259 <article class="product-feature">
260 <div class="card-heading">
261 <div class="feature-icon">
262 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
263 </div>
264 <h3>$entry.title</h3>
265 </div>
266
267 <p>$entry.content</p>
268 </article>
269 #end
270 </div>
271
272 {{/html}}
273
274 {{gallery}}
275 [[image:mfa-user-setup-qr.png]]
276 [[image:mfa-login-verification-setup.png]]
277 [[image:mfa-login-verification-code.png]]
278 {{/gallery}}
279
280 {{html clean="false"}}
281
282 <p class="product-gallery-caption">
283 User setup, enforced configuration and login verification screens.
284 </p>
285 </div>
286 </section>
287
288 <section aria-labelledby="self-service-title">
289 <div class="container">
290 <h2 id="self-service-title">Recovery codes and trusted devices</h2>
291
292 <p class="section-intro">
293 Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
294 </p>
295
296 <div class="product-feature-grid">
297 #foreach ($entry in $selfServiceItems)
298 <article class="product-feature">
299 <div class="card-heading">
300 <div class="feature-icon">
301 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
302 </div>
303 <h3>$entry.title</h3>
304 </div>
305
306 <p>$entry.content</p>
307 </article>
308 #end
309 </div>
310
311 {{/html}}
312
313 {{gallery}}
314 [[image:mfa-user-profile-overview.png]]
315 [[image:mfa-recovery-codes-not-generated.png]]
316 [[image:mfa-recovery-codes-generated.png]]
317 [[image:mfa-trusted-devices.png]]
318 [[image:mfa-user-profile-full.png]]
319 {{/gallery}}
320
321 {{html clean="false"}}
322
323 <p class="product-gallery-caption">
324 User profile screens for recovery codes, trusted devices and self-service management.
325 </p>
326 </div>
327 </section>
328
329 <section class="product-section-muted" aria-labelledby="admin-support-title">
330 <div class="container">
331 <h2 id="admin-support-title">Administrator support and user recovery</h2>
332
333 <p class="section-intro">
334 Administrators can help users recover from lost devices or restart setup when needed.
335 </p>
336
337 <div class="product-feature-grid">
338 #foreach ($entry in $adminSupportItems)
339 <article class="product-feature">
340 <div class="card-heading">
341 <div class="feature-icon">
342 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
343 </div>
344 <h3>$entry.title</h3>
345 </div>
346
347 <p>$entry.content</p>
348 </article>
349 #end
350 </div>
351
352 {{/html}}
353
354 {{gallery}}
355 [[image:mfa-admin-user-management.png]]
356 {{/gallery}}
357
358 {{html clean="false"}}
359
360 <p class="product-gallery-caption">
361 Administrator view for checking and resetting a user setup.
362 </p>
363 </div>
364 </section>
365
366 <section aria-labelledby="faq-title">
367 <div class="container">
368 <h2 id="faq-title">Frequently asked questions</h2>
369
370 <p class="section-intro">
371 Common questions about how the extension works, how users configure it and how administrators can manage rollout and recovery.
372 </p>
373
374 <div class="resource-content">
375 <details class="resource-faq-item">
376 <summary>Does this extension replace the standard XWiki login?</summary>
377 <p>
378 No. Users still sign in with their normal XWiki username and password. The extension adds
379 an additional verification step after the standard login check.
380 </p>
381 </details>
382
383 <details class="resource-faq-item">
384 <summary>Which verification method is used?</summary>
385 <p>
386 Users verify access with time-based codes generated by an authenticator application.
387 The setup page provides a QR code and a manual setup key.
388 </p>
389 </details>
390
391 <details class="resource-faq-item">
392 <summary>Can the second verification step be required for all users?</summary>
393 <p>
394 Yes. Administrators can make the verification step optional or required for all users
395 from the XWiki Administration section.
396 </p>
397 </details>
398
399 <details class="resource-faq-item">
400 <summary>What happens if a user loses access to the authenticator app?</summary>
401 <p>
402 Recovery codes can provide backup access when enabled. Administrators can also reset
403 the user setup so the configuration process can be restarted.
404 </p>
405 </details>
406
407 <details class="resource-faq-item">
408 <summary>Can trusted browsers or devices be disabled?</summary>
409 <p>
410 Yes. Administrators can configure how long trusted devices remain valid. Setting the
411 trusted-device duration to 0 disables this option.
412 </p>
413 </details>
414
415 <details class="resource-faq-item">
416 <summary>Is this only a basic 2FA login-code screen?</summary>
417 <p>
418 No. The main login mechanism is two-factor authentication, but the application also includes
419 features needed for a safer organization-wide rollout: enforcement policy, recovery codes,
420 trusted devices, user self-service, administrator monitoring and administrator reset actions.
421 </p>
422 </details>
423
424 <details class="resource-faq-item">
425 <summary>Is this enough for compliance on its own?</summary>
426 <p>
427 No. This extension provides an important access-protection control, but it should be part
428 of a broader security and compliance approach that includes permissions, upgrades,
429 infrastructure, monitoring and operational procedures.
430 </p>
431 </details>
432 </div>
433 </div>
434 </section>
435
436 <section class="product-section-muted" aria-labelledby="rollout-title">
437 <div class="container">
438 <div class="product-layout">
439 <article class="product-summary-card">
440 <h2 id="rollout-title">Rollout recommendations</h2>
441
442 <p>
443 For a smooth rollout, start with a small administrator or pilot group before requiring
444 the additional verification step for everyone. This helps validate the configuration,
445 prepare user communication and reduce support issues.
446 </p>
447
448 <ol class="process-list">
449 #foreach ($entry in $rolloutItems)
450 <li>
451 <strong>$entry.title</strong>
452 $entry.content
453 </li>
454 #end
455 </ol>
456 </article>
457
458 <aside class="product-info-card" aria-labelledby="planning-title">
459 <h3 id="planning-title">Useful information before installation</h3>
460
461 <p class="product-card-note">
462 These details help evaluate compatibility, rollout scope and configuration options.
463 </p>
464
465 <ul>
466 <li>XWiki version</li>
467 <li>Single wiki or wiki farm with subwikis</li>
468 <li>Current authentication setup</li>
469 <li>Optional or required rollout policy</li>
470 <li>Trusted-device policy</li>
471 <li>Recovery-code policy</li>
472 <li>Rollout communication needs</li>
473 </ul>
474 </aside>
475 </div>
476 </div>
477 </section>
478
479 <section class="cta-section" aria-labelledby="cta-title">
480 <div class="container">
481 <div class="cta-panel">
482 <h2 id="cta-title">Interested in using this extension?</h2>
483
484 <p>
485 Send a short message with your XWiki version, current authentication setup and rollout goal.
486 </p>
487
488 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
489 </div>
490 </div>
491 </section>
492
493 {{/html}}
494 {{/velocity}}