Skip to Content
Version 8.1 by Agnease on 2026/06/23 12:05
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 #set ($discard = $xwiki.ssx.use('products.WebHome'))
4
5 #set ($mainCapabilityItems = [{
6 'title': 'Second verification step',
7 'icon': 'key',
8 'content': 'After the normal username and password check, users complete an additional verification step before accessing XWiki.'
9 },{
10 'title': 'Authenticator app codes',
11 'icon': 'mobile',
12 'content': 'Users can verify access with time-based TOTP codes generated by authenticator applications on mobile or desktop devices.'
13 },{
14 'title': 'Email verification codes',
15 'icon': 'envelope-o',
16 'content': 'Users can receive one-time verification codes by email when an authenticator app is not available or preferred.'
17 }])
18
19 #set ($useCaseItems = [
20 'Protecting administrator accounts',
21 'Improving access security for internal knowledge bases',
22 'Securing private documentation platforms and intranets',
23 'Supporting remote-user access policies',
24 'Strengthening customer or partner portals',
25 'Preparing for security reviews or broader compliance initiatives'
26 ])
27
28 #set ($adminCapabilityItems = [
29 'Require MFA for all users',
30 'Define the issuer name displayed in authenticator applications',
31 'Configure trusted-device duration',
32 'Configure how many recovery codes are generated',
33 'Reset a user’s MFA setup when needed',
34 'Review MFA adoption from the administration overview'
35 ])
36
37 #set ($overviewItems = [
38 'Number of users scanned',
39 'Users with MFA configured',
40 'Users without MFA configured',
41 'Users with trusted devices',
42 'Recovery-code status',
43 'Unused and total recovery-code count',
44 'Trusted-device count'
45 ])
46
47 #set ($profileItems = [
48 'Configure MFA',
49 'Review MFA status',
50 'Generate or regenerate recovery codes',
51 'Review trusted devices',
52 'Remove individual trusted devices',
53 'Remove all trusted devices',
54 'Reset MFA setup'
55 ])
56
57 #set ($rolloutItems = [{
58 'title': 'Install and configure the extension',
59 'content': 'Start by validating compatibility with the current XWiki version and authentication setup.'
60 },{
61 'title': 'Define the MFA policy',
62 'content': 'Decide whether MFA should be optional, required for administrators, or required for all users.'
63 },{
64 'title': 'Configure recovery and trusted devices',
65 'content': 'Choose whether users can rely on recovery codes and whether trusted browsers or devices are allowed.'
66 },{
67 'title': 'Test with a pilot group',
68 'content': 'Validate the setup and login flow with administrators or a small group before wider rollout.'
69 },{
70 'title': 'Communicate the user process',
71 'content': 'Explain how users should configure MFA, store recovery codes and manage trusted devices.'
72 },{
73 'title': 'Monitor adoption',
74 'content': 'Use the administration overview to identify users who still need to configure MFA.'
75 }])
76
77 {{html clean="false"}}
78
79 <section class="hero hero-centered" aria-labelledby="product-title">
80 <div class="container hero-inner">
81 <div class="hero-kicker">
82 <i class="fa fa-lock" aria-hidden="true"></i>
83 XWiki 2FA and MFA
84 </div>
85
86 <h1 id="product-title">XWiki Two-Factor Authentication</h1>
87
88 <p class="lead">
89 Protect XWiki logins with a second verification step using authenticator app codes,
90 email verification codes, or both.
91 </p>
92
93 <div class="hero-actions">
94 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Ask about this extension</a>
95 <a class="btn btn-secondary" href="$xwiki.getURL('products.WebHome')">View all products</a>
96 </div>
97 </div>
98 </section>
99
100 <section aria-labelledby="overview-title">
101 <div class="container">
102 <div class="product-layout">
103 <article class="product-summary-card">
104 <h2 id="overview-title">Two-factor authentication built into XWiki</h2>
105
106 <p>
107 XWiki Two-Factor Authentication adds MFA/2FA support to the standard XWiki login flow.
108 Users continue to sign in with their normal username and password, then confirm access with
109 an additional verification method.
110 </p>
111
112 <p>
113 The extension supports authenticator app codes, email-delivered verification codes, or a combined
114 setup where both methods are required. It improves account protection without replacing the familiar
115 XWiki authentication experience.
116 </p>
117
118 <p>
119 It is designed for organizations that use XWiki for internal knowledge bases, intranets,
120 documentation platforms, customer portals, workflows or other business-critical applications.
121 </p>
122 </article>
123
124 <aside class="product-info-card" aria-labelledby="quick-facts-title">
125 <h3 id="quick-facts-title">Quick facts</h3>
126 <ul>
127 <li>Works with the standard XWiki login flow</li>
128 <li>Supports authenticator app codes using TOTP</li>
129 <li>Supports email-delivered one-time verification codes</li>
130 <li>Can require app code and email code together</li>
131 <li>Includes recovery codes for backup access</li>
132 <li>Can remember trusted browsers or devices</li>
133 <li>Includes administration and user setup controls</li>
134 </ul>
135 </aside>
136 </div>
137 </div>
138 </section>
139
140 <section aria-labelledby="features-title">
141 <div class="container">
142 <h2 id="features-title">Main capabilities</h2>
143
144 <p class="section-intro">
145 A focused set of MFA/2FA features for stronger XWiki account protection without changing
146 the standard login experience.
147 </p>
148
149 <div class="product-feature-grid">
150 #foreach ($entry in $mainCapabilityItems)
151 <article class="product-feature">
152 <div class="card-heading">
153 <div class="feature-icon">
154 <i class="fa fa-$entry.icon" aria-hidden="true"></i>
155 </div>
156 <h3>$entry.title</h3>
157 </div>
158
159 <p>$entry.content</p>
160 </article>
161 #end
162 </div>
163 </div>
164 </section>
165
166 <section class="product-section-muted" aria-labelledby="security-title">
167 <div class="container">
168 <div class="product-layout">
169 <article class="product-summary-card">
170 <h2 id="security-title">Useful for XWiki security and NIS 2 readiness</h2>
171
172 <p>
173 Many organizations need multi-factor authentication for enterprise software, including internal
174 knowledge bases, intranets, documentation platforms and systems containing operational procedures
175 or sensitive business information.
176 </p>
177
178 <p>
179 For organizations using XWiki, adding two-factor authentication directly to the standard login flow
180 can help close a practical access-control gap. It can be useful for administrator accounts,
181 remote users, private knowledge bases and broader security readiness initiatives such as NIS 2 preparation.
182 </p>
183
184 <p>
185 This extension is not a complete compliance solution on its own, but it provides an important
186 technical control for protecting access to XWiki.
187 </p>
188 </article>
189
190 <aside class="product-info-card" aria-labelledby="use-cases-title">
191 <h3 id="use-cases-title">Typical use cases</h3>
192 <ul>
193 #foreach ($item in $useCaseItems)
194 <li>$item</li>
195 #end
196 </ul>
197 </aside>
198 </div>
199 </div>
200 </section>
201
202 <section aria-labelledby="admin-title">
203 <div class="container">
204 <div class="product-layout">
205 <article class="product-summary-card">
206 <h2 id="admin-title">Administrator configuration</h2>
207
208 <p>
209 Administrators configure MFA from the XWiki Administration section. The configuration is intentionally
210 simple, so the rollout can be adapted to the organization’s security policy and user base.
211 </p>
212
213 <p>
214 MFA can be optional or required for all users. When MFA is required, users who have not configured it yet
215 are guided through the setup flow from their profile or during login.
216 </p>
217
218 <p>
219 If trusted devices should not be allowed, the trusted-device duration can be set to 0.
220 If recovery codes should not be available, the recovery-code number can be set to 0.
221 </p>
222 </article>
223
224 <aside class="product-info-card" aria-labelledby="admin-capabilities-title">
225 <h3 id="admin-capabilities-title">Administrators can</h3>
226 <ul>
227 #foreach ($item in $adminCapabilityItems)
228 <li>$item</li>
229 #end
230 </ul>
231 </aside>
232 </div>
233 </div>
234 </section>
235
236 {{/html}}
237
238 {{gallery}}
239 [[image:mfa-admin-configuration.png]]
240 {{/gallery}}
241
242 {{html clean="false"}}
243
244 <section aria-labelledby="admin-overview-title">
245 <div class="container">
246 <div class="product-layout">
247 <article class="product-summary-card">
248 <h2 id="admin-overview-title">MFA overview for administrators</h2>
249
250 <p>
251 The Administration section includes an MFA overview page that helps administrators understand adoption
252 and usage across the wiki.
253 </p>
254
255 <p>
256 The overview displays summary indicators and a Live Data table with MFA-related information.
257 The table is filterable and sortable, making it suitable for installations with many users.
258 </p>
259 </article>
260
261 <aside class="product-info-card" aria-labelledby="overview-data-title">
262 <h3 id="overview-data-title">The overview can show</h3>
263 <ul>
264 #foreach ($item in $overviewItems)
265 <li>$item</li>
266 #end
267 </ul>
268 </aside>
269 </div>
270 </div>
271 </section>
272
273 {{/html}}
274
275 {{gallery}}
276 [[image:mfa-admin-overview.png]]
277 {{/gallery}}
278
279 {{html clean="false"}}
280
281 <section class="product-section-muted" aria-labelledby="user-setup-title">
282 <div class="container">
283 <div class="product-layout">
284 <article class="product-summary-card">
285 <h2 id="user-setup-title">User setup experience</h2>
286
287 <p>
288 Users can configure MFA from their profile page. During setup, the user scans a QR code with
289 an authenticator application.
290 </p>
291
292 <p>
293 If scanning is not possible, the setup page also provides the account name and secret key that can be
294 entered manually. After the generated verification code is entered successfully, MFA is activated for
295 the user account.
296 </p>
297 </article>
298
299 <aside class="product-info-card" aria-labelledby="login-flow-title">
300 <h3 id="login-flow-title">Login flow</h3>
301 <ul>
302 <li>User signs in with the normal XWiki credentials</li>
303 <li>XWiki asks for the configured verification code</li>
304 <li>The user enters the app code, email code, or both</li>
305 <li>A recovery code can be used when enabled and available</li>
306 <li>A trusted browser or device can be remembered when allowed</li>
307 </ul>
308 </aside>
309 </div>
310 </div>
311 </section>
312
313 {{/html}}
314
315 {{gallery}}
316 [[image:mfa-user-setup-qr.png]]
317 [[image:mfa-login-verification.png]]
318 {{/gallery}}
319
320 {{html clean="false"}}
321
322 <section aria-labelledby="recovery-title">
323 <div class="container">
324 <div class="product-layout">
325 <article class="product-summary-card">
326 <h2 id="recovery-title">Recovery codes</h2>
327
328 <p>
329 Recovery codes provide a backup access method when a user loses access to the authenticator application
330 or cannot complete the normal verification flow.
331 </p>
332
333 <p>
334 Recovery codes are generated for the user and displayed only once. Each code can be used one time.
335 When new recovery codes are generated, previous recovery codes are invalidated.
336 </p>
337
338 <p>
339 Users should save their recovery codes in a secure location immediately after generation.
340 Administrators can configure how many recovery codes are generated, and setting the number to 0 disables them.
341 </p>
342 </article>
343
344 <aside class="product-info-card" aria-labelledby="trusted-devices-title">
345 <h3 id="trusted-devices-title">Trusted devices</h3>
346 <ul>
347 <li>Reduce repeated MFA prompts on known browsers or devices</li>
348 <li>Remain valid for the configured number of days</li>
349 <li>Can be reviewed and removed from the user profile</li>
350 <li>The current trusted browser is marked in the list</li>
351 <li>Removed when a user’s MFA setup is reset</li>
352 </ul>
353 </aside>
354 </div>
355 </div>
356 </section>
357
358 {{/html}}
359
360 {{gallery}}
361 [[image:mfa-recovery-codes.png]]
362 [[image:mfa-trusted-devices.png]]
363 {{/gallery}}
364
365 {{html clean="false"}}
366
367 <section class="product-section-muted" aria-labelledby="profile-title">
368 <div class="container">
369 <div class="product-layout">
370 <article class="product-summary-card">
371 <h2 id="profile-title">User and administrator management</h2>
372
373 <p>
374 The user profile contains a dedicated MFA section. Users can configure MFA, review their status,
375 manage recovery codes and manage trusted devices from this area.
376 </p>
377
378 <p>
379 Administrators can also open a user profile and access the MFA section for that user.
380 This is useful when a user loses access to their authenticator application or needs to restart the setup process.
381 </p>
382
383 <p>
384 Resetting MFA removes the authenticator app setup, invalidates recovery codes and removes trusted devices.
385 If MFA is required globally, the user will be asked to configure MFA again at the next login.
386 </p>
387 </article>
388
389 <aside class="product-info-card" aria-labelledby="profile-actions-title">
390 <h3 id="profile-actions-title">Profile actions</h3>
391 <ul>
392 #foreach ($item in $profileItems)
393 <li>$item</li>
394 #end
395 </ul>
396 </aside>
397 </div>
398 </div>
399 </section>
400
401 {{/html}}
402
403 {{gallery}}
404 [[image:mfa-user-profile-overview.png]]
405 [[image:mfa-admin-user-management.png]]
406 {{/gallery}}
407
408 {{html clean="false"}}
409
410 <section aria-labelledby="rollout-title">
411 <div class="container">
412 <h2 id="rollout-title">Rollout recommendations</h2>
413
414 <p class="section-intro">
415 For a smooth rollout, start with a small administrator or pilot group before requiring MFA for everyone.
416 A gradual rollout helps validate the configuration, prepare communication and reduce support issues.
417 </p>
418
419 <ol class="process-list">
420 #foreach ($entry in $rolloutItems)
421 <li>
422 <strong>$entry.title</strong>
423 $entry.content
424 </li>
425 #end
426 </ol>
427 </div>
428 </section>
429
430 <section class="product-section-muted" aria-labelledby="planning-title">
431 <div class="container">
432 <div class="product-layout">
433 <article class="product-summary-card">
434 <h2 id="planning-title">Planning installation</h2>
435
436 <p>
437 Before installing or rolling out MFA, it is useful to review the current XWiki version,
438 authentication setup, user base and security expectations.
439 </p>
440
441 <p>
442 This helps define whether MFA should be optional, required for selected users, or enforced globally.
443 It also helps decide whether trusted devices and recovery codes should be enabled.
444 </p>
445 </article>
446
447 <aside class="product-info-card" aria-labelledby="planning-info-title">
448 <h3 id="planning-info-title">Useful information before installation</h3>
449 <ul>
450 <li>XWiki version</li>
451 <li>Single wiki or wiki farm with subwikis</li>
452 <li>Current authentication setup</li>
453 <li>Optional or globally required MFA policy</li>
454 <li>Trusted-device policy</li>
455 <li>Recovery-code policy</li>
456 <li>Rollout communication needs</li>
457 </ul>
458 </aside>
459 </div>
460 </div>
461 </section>
462
463 <section class="cta-section" aria-labelledby="cta-title">
464 <div class="container">
465 <div class="cta-panel">
466 <h2 id="cta-title">Interested in using this extension?</h2>
467
468 <p>
469 Send a short message with your XWiki version, authentication setup and whether you need
470 authenticator app codes, email verification codes, combined verification, recovery codes
471 or trusted-device remembering.
472 </p>
473
474 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Contact Agnease</a>
475 </div>
476 </div>
477 </section>
478
479 {{/html}}
480 {{/velocity}}