Jimmy Wales’ Wikipedia account got hacked the other day, and it turns out a pile of others did too. So two-factor authentication is being made available for everyone with powers from administrator up on any Wikimedia wiki. Go to Special:Preferences and set it up.
(If your account got hacked and has been locked, go to Steward requests. There’s a bit of a queue, please be patient … else it’s time to fire up the powerless sock account.)
It’s still a bit fiddly, so is being rolled out slowly. (The aim is to have it available to all users in due course.) Authentication methods include mobile phone, Google Authenticator and emergency backup numbers you can print out and keep on hand (“scratch codes”). BWolff (WMF) notes:
If you lose your scratch codes and your 2fa device, and you can prove who you are beyond doubt (what “beyond doubt” means I’m not sure, but I guess committed identity is a good choice), then a developer will remove the 2fa from your account. However, please don’t lose your scratch codes.
I use two-factor at work (GMail, Github, AWS) and it’s just fine. This is basically a really good idea.
Update: Tim Starling on what actually happened. tl;dr change your password and SWITCH ON 2FA, IT’S IMPORTANT.