Jimmy Wales’ Wikipedia account got hacked the other day, and it turns out a pile of others did too. So two-factor authentication is being made available for everyone with powers from administrator up on any Wikimedia wiki. Go to Special:Preferences and set it up.
(If your account got hacked and has been locked, go to Steward requests. There’s a bit of a queue, please be patient … else it’s time to fire up the powerless sock account.)
It’s still a bit fiddly, so is being rolled out slowly. (The aim is to have it available to all users in due course.) Authentication methods include mobile phone, Google Authenticator and emergency backup numbers you can print out and keep on hand (“scratch codes”). BWolff (WMF) notes:
If you lose your scratch codes and your 2fa device, and you can prove who you are beyond doubt (what “beyond doubt” means I’m not sure, but I guess committed identity is a good choice), then a developer will remove the 2fa from your account. However, please don’t lose your scratch codes.
I use two-factor at work (GMail, Github, AWS) and it’s just fine. This is basically a really good idea.
Note that AutoWikiBrowser will be a bit fiddly, you will need to set up a BotPassword. (AWB plans to support OAuth soonish.)
At least avoiding another Tubgirl is Love incident won’t require distributing RSA keyfobs to the user base. (Though WMF wants to support fobs too.)
Update: Tim Starling on what actually happened. tl;dr change your password and SWITCH ON 2FA, IT’S IMPORTANT.