Skip to Content
Version 6.12 by Agnease on 2026/06/23 07:40
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 #set ($discard = $xwiki.ssx.use('products.WebHome'))
4
5 #set ($mainCapabilityItems = [{
6 'title': 'Second verification step',
7 'icon': 'key',
8 'content': 'Add an additional verification screen after the normal XWiki username and password login.'
9 },{
10 'title': 'Authenticator app codes',
11 'icon': 'mobile',
12 'content': 'Let users verify access with time-based TOTP codes generated by authenticator applications.'
13 },{
14 'title': 'Email verification codes',
15 'icon': 'envelope-o',
16 'content': 'Send one-time verification codes by email when this method is enabled or combined with app codes.'
17 }])
18
19 #set ($adminExperienceItems = [{
20 'title': 'Simple MFA policy',
21 'icon': 'cog',
22 'content': 'Administrators can make MFA optional or required for all users from the XWiki Administration section.'
23 },{
24 'title': 'Recovery and trusted devices',
25 'icon': 'shield',
26 'content': 'Configure recovery-code count and trusted-device duration according to the organization security policy.'
27 },{
28 'title': 'Administration overview',
29 'icon': 'table',
30 'content': 'Review MFA adoption across users with summary indicators and a filterable Live Data table.'
31 }])
32
33 #set ($userExperienceItems = [{
34 'title': 'Self-service setup',
35 'icon': 'qrcode',
36 'content': 'Users configure MFA from their profile by scanning a QR code or entering the setup key manually.'
37 },{
38 'title': 'Familiar login flow',
39 'icon': 'sign-in',
40 'content': 'After the normal login, users enter the configured verification code before accessing XWiki.'
41 },{
42 'title': 'Profile management',
43 'icon': 'user',
44 'content': 'Users can review MFA status, manage recovery codes and remove trusted devices from their profile.'
45 }])
46
47 #set ($recoveryItems = [{
48 'title': 'Recovery codes',
49 'icon': 'life-ring',
50 'content': 'Recovery codes provide backup access when a user loses access to the authenticator application.'
51 },{
52 'title': 'Trusted devices',
53 'icon': 'desktop',
54 'content': 'Trusted browsers or devices can skip repeated MFA prompts for a configured period.'
55 },{
56 'title': 'Administrator reset',
57 'icon': 'refresh',
58 'content': 'Administrators can reset a user MFA setup when the user needs to restart the configuration process.'
59 }])
60
61 #set ($rolloutItems = [{
62 'title': 'Start with a pilot group',
63 'content': 'Test the extension with administrators or a small user group before enabling it widely.'
64 },{
65 'title': 'Define the MFA policy',
66 'content': 'Decide whether MFA should be optional, required for administrators, or required for all users.'
67 },{
68 'title': 'Configure recovery options',
69 'content': 'Choose whether recovery codes and trusted devices should be enabled.'
70 },{
71 'title': 'Inform users',
72 'content': 'Explain how users configure MFA, save recovery codes and manage trusted devices.'
73 },{
74 'title': 'Monitor adoption',
75 'content': 'Use the administration overview to identify users who still need to configure MFA.'
76 }])
77
78 {{html clean="false"}}
79
80 <div class="product-doc-page product-mfa-page">
81
82 <section class="hero hero-centered" aria-labelledby="product-title">
83 <div class="container hero-inner">
84 <div class="hero-kicker">
85 <i class="fa fa-lock" aria-hidden="true"></i>
86 XWiki 2FA and MFA
87 </div>
88
89 <h1 id="product-title">XWiki Two-Factor Authentication</h1>
90
91 <p class="lead">
92 Protect XWiki logins with a second verification step using authenticator app codes,
93 email verification codes, or both.
94 </p>
95
96 <div class="hero-actions">
97 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Ask about this extension</a>
98 <a class="btn btn-secondary" href="$xwiki.getURL('products.WebHome')">View all products</a>
99 </div>
100 </div>
101 </section>
102
103 <section aria-labelledby="overview-title">
104 <div class="container">
105 <div class="product-layout">
106 <article class="product-summary-card">
107 <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
108
109 <p>
110 XWiki Two-Factor Authentication adds MFA/2FA support to the standard XWiki login flow.
111 Users continue to sign in with their normal username and password, then confirm access with
112 an additional verification method.
113 </p>
114
115 <p>
116 The extension supports authenticator app codes, email-delivered verification codes, or a combined
117 setup where both methods are required. It is designed to improve account protection without replacing
118 the familiar XWiki authentication experience.
119 </p>
120 </article>
121
122 <aside class="product-info-card" aria-labelledby="quick-facts-title">
123 <h3 id="quick-facts-title">Quick facts</h3>
124 <ul>
125 <li>Works with the standard XWiki login flow</li>
126 <li>Supports TOTP authenticator applications</li>
127 <li>Supports email-delivered one-time codes</li>
128 <li>Can require app and email verification together</li>
129 <li>Includes recovery codes for backup access</li>
130 <li>Can remember trusted browsers or devices</li>
131 <li>Includes administration and user controls</li>
132 </ul>
133 </aside>
134 </div>
135 </div>
136 </section>
137
138 <section aria-labelledby="capabilities-title">
139 <div class="container">
140 <h2 id="capabilities-title">Main capabilities</h2>
141
142 <p class="section-intro">
143 A focused set of MFA/2FA features for stronger XWiki account protection without changing the standard login experience.
144 </p>
145
146 <div class="product-feature-grid">
147 #foreach ($entry in $mainCapabilityItems)
148 <article class="product-feature">
149 <div class="card-heading">
150 <div class="feature-icon">
151 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
152 </div>
153 <h3>$entry.title</h3>
154 </div>
155
156 <p>$entry.content</p>
157 </article>
158 #end
159 </div>
160 </div>
161 </section>
162
163 <section class="product-section-muted" aria-labelledby="security-title">
164 <div class="container">
165 <div class="product-layout">
166 <article class="product-summary-card">
167 <h2 id="security-title">Useful for XWiki security and access protection</h2>
168
169 <p>
170 Many organizations need multi-factor authentication for internal tools, knowledge bases,
171 intranets, documentation platforms and systems containing operational or sensitive information.
172 </p>
173
174 <p>
175 For XWiki, adding two-factor authentication directly to the standard login flow helps protect
176 administrator accounts, remote users, private knowledge bases and customer or partner portals.
177 </p>
178 </article>
179
180 <aside class="product-info-card" aria-labelledby="use-cases-title">
181 <h3 id="use-cases-title">Typical use cases</h3>
182 <ul>
183 <li>Administrator account protection</li>
184 <li>Internal knowledge base security</li>
185 <li>Private documentation platforms</li>
186 <li>Remote user access protection</li>
187 <li>Customer or partner portals</li>
188 <li>Security review and NIS 2 readiness initiatives</li>
189 </ul>
190 </aside>
191 </div>
192 </div>
193 </section>
194
195 <section aria-labelledby="admin-experience-title">
196 <div class="container">
197 <h2 id="admin-experience-title">Administrator experience</h2>
198
199 <p class="section-intro">
200 Administrators can configure the MFA policy, monitor adoption and reset user MFA setups when needed.
201 </p>
202
203 <div class="product-feature-grid">
204 #foreach ($entry in $adminExperienceItems)
205 <article class="product-feature">
206 <div class="card-heading">
207 <div class="feature-icon">
208 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
209 </div>
210 <h3>$entry.title</h3>
211 </div>
212
213 <p>$entry.content</p>
214 </article>
215 #end
216 </div>
217
218 <p class="product-gallery-caption">
219 Administration screens for configuring MFA and reviewing MFA adoption across users.
220 </p>
221 </div>
222 </section>
223
224 {{/html}}
225
226 {{gallery}}
227 [[image:mfa-admin-configuration.png]]
228 [[image:mfa-admin-overview.png]]
229 {{/gallery}}
230
231 {{html clean="false"}}
232
233 <section class="product-section-muted" aria-labelledby="user-experience-title">
234 <div class="container">
235 <h2 id="user-experience-title">User experience</h2>
236
237 <p class="section-intro">
238 Users can configure MFA from their profile and complete the second verification step during login.
239 </p>
240
241 <div class="product-feature-grid">
242 #foreach ($entry in $userExperienceItems)
243 <article class="product-feature">
244 <div class="card-heading">
245 <div class="feature-icon">
246 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
247 </div>
248 <h3>$entry.title</h3>
249 </div>
250
251 <p>$entry.content</p>
252 </article>
253 #end
254 </div>
255
256 <p class="product-gallery-caption">
257 User setup and login verification screens.
258 </p>
259 </div>
260 </section>
261
262 {{/html}}
263
264 {{gallery}}
265 [[image:mfa-user-setup-qr.png]]
266 [[image:mfa-login-verification.png]]
267 {{/gallery}}
268
269 {{html clean="false"}}
270
271 <section aria-labelledby="recovery-title">
272 <div class="container">
273 <h2 id="recovery-title">Recovery codes and trusted devices</h2>
274
275 <p class="section-intro">
276 Recovery codes and trusted devices help balance stronger access protection with a smoother user experience.
277 </p>
278
279 <div class="product-feature-grid">
280 #foreach ($entry in $recoveryItems)
281 <article class="product-feature">
282 <div class="card-heading">
283 <div class="feature-icon">
284 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
285 </div>
286 <h3>$entry.title</h3>
287 </div>
288
289 <p>$entry.content</p>
290 </article>
291 #end
292 </div>
293
294 <p class="product-gallery-caption">
295 Recovery codes, trusted devices and user profile management.
296 </p>
297 </div>
298 </section>
299
300 {{/html}}
301
302 {{gallery}}
303 [[image:mfa-recovery-codes.png]]
304 [[image:mfa-trusted-devices.png]]
305 [[image:mfa-user-profile-overview.png]]
306 [[image:mfa-admin-user-management.png]]
307 {{/gallery}}
308
309 {{html clean="false"}}
310
311 <section class="product-section-muted" aria-labelledby="rollout-title">
312 <div class="container">
313 <div class="product-layout">
314 <article class="product-summary-card">
315 <h2 id="rollout-title">Rollout recommendations</h2>
316
317 <p>
318 For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
319 This helps validate the configuration, prepare user communication and reduce support issues.
320 </p>
321
322 <ol class="process-list">
323 #foreach ($entry in $rolloutItems)
324 <li>
325 <strong>$entry.title</strong>
326 $entry.content
327 </li>
328 #end
329 </ol>
330 </article>
331
332 <aside class="product-info-card" aria-labelledby="planning-title">
333 <h3 id="planning-title">Useful information before installation</h3>
334 <ul>
335 <li>XWiki version</li>
336 <li>Single wiki or wiki farm with subwikis</li>
337 <li>Current authentication setup</li>
338 <li>Optional or globally required MFA policy</li>
339 <li>Trusted-device policy</li>
340 <li>Recovery-code policy</li>
341 <li>Rollout communication needs</li>
342 </ul>
343 </aside>
344 </div>
345 </div>
346 </section>
347
348 <section class="cta-section" aria-labelledby="cta-title">
349 <div class="container">
350 <div class="cta-panel">
351 <h2 id="cta-title">Interested in using this extension?</h2>
352
353 <p>
354 Send a short message with your XWiki version, authentication setup and whether you need
355 authenticator app codes, email verification codes, combined verification, recovery codes
356 or trusted-device remembering.
357 </p>
358
359 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
360 </div>
361 </div>
362 </section>
363
364 </div>
365
366 {{/html}}
367 {{/velocity}}