[iOS] Add support for selectable TOTP module when logging in with MFA.
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

As part of WE4.6.2, functionality is being added to allow users to enable multiple authentication factors, which includes WebAuthn and TOTP. When we log in through the API, and the user has multiple authenticators enabled, the login response will become slightly different, and will allow us to "select" the factor to be used. (Since we don't yet support WebAuthn, we will need to explicitly select TOTP.)

The logic for working with the new selection logic is laid out in this task.

(At the moment, there is some fallback compatibility logic that makes the API work as before with existing clients, but this will be removed once these tasks are complete and rolled out.)

Test Steps

Regression test our login flow, confirm it still works for both non-2-factor users and 2-factor users.

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	[WIP] Remove backward compatibility for Apps' login flow.	mediawiki/extensions/OATHAuth	master	+2 -10

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T399644 FY2025-26 WE4.6.2 Multiple Authenticators
Resolved	Catrope	T399654 Ensure Mobile Apps are supported with 2FA changes
Resolved	Tsevener	T403820 [iOS] Add support for selectable TOTP module when logging in with MFA.

Event Timeline

Dbrant created this task.Sep 5 2025, 1:12 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2025, 1:12 PM

Dbrant added a project: FY2025-26 WE4.6.2 Multiple Authenticators.Sep 5 2025, 4:00 PM

Dbrant moved this task from Backlog to Consider for future work on the FY2025-26 WE4.6.2 Multiple Authenticators board.

Reedy added a parent task: T399654: Ensure Mobile Apps are supported with 2FA changes.Sep 5 2025, 4:24 PM

Seddon assigned this task to Tsevener.Sep 16 2025, 5:32 PM

Seddon triaged this task as Medium priority.

Seddon moved this task from Needs Triage to Wikipedia iOS Release FY2025-26 on the Wikipedia-iOS-App-Backlog board.

Seddon edited projects, added Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26); removed Wikipedia-iOS-App-Backlog.

Seddon moved this task from Tasks from Product Backlog to Current Sprint Work (P0) on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.

Seddon added a project: iOS Sprint 2025: Sprinty McSeddonface in São Paulo.

Tsevener set the point value for this task to 3.Sep 18 2025, 3:23 PM

Tsevener moved this task from Current Sprint Work (P0) to Doing on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 24 2025, 7:04 PM

Tsevener moved this task from Doing to Blocked or Waiting on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 25 2025, 7:37 PM

Tsevener moved this task from Blocked or Waiting to Doing on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 25 2025, 9:23 PM

Progress is in T403820_mfa-support branch.

I think I have it working with the task instructions:

In the action=clientlogin call, I detect TwoFactorModuleSelectAuthenticationRequest with totp in the allowedModules response.
If this exists, I repeat the action=clientlogin call, with a newModule=totp in the request body.

There's a couple of issues I have when testing on the beta cluster with an account set up with both TOTP and WebAuthn.

The first call returns TOTPAuthenticationRequest, which means the hack is still there on the beta cluster. So I don't feel like this is a true test.
The second call has a warning in the response body: Unrecognized parameter: newModule.

So something is off about the beta cluster or the way I am making the calls. I tried setting up a local MW instance but I wasn't able to get a WebAuthn key added.

Tsevener moved this task from Doing to Blocked or Waiting on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 26 2025, 4:45 PM

Change #1191740 had a related patch set uploaded (by Dbrant; author: Dbrant):

[mediawiki/extensions/OATHAuth@master] [WIP] Remove backward compatibility for Apps' login flow.

https://gerrit.wikimedia.org/r/1191740

gerritbot added a project: Patch-For-Review.Sep 26 2025, 5:58 PM

Test wiki created on Patch demo by Dmitry Brant using patch(es) linked to this task:
https://d22139cba6.catalyst.wmcloud.org/w/

tonisevener opened https://github.com/wikimedia/wikipedia-ios/pull/5452

Tsevener moved this task from Blocked or Waiting to Needs Code Review on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 26 2025, 9:12 PM

Tsevener updated the task description. (Show Details)Sep 29 2025, 6:46 PM

tonisevener closed https://github.com/wikimedia/wikipedia-ios/pull/5452

Tsevener moved this task from Needs Code Review to Waiting for Build on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 29 2025, 6:58 PM

Tsevener moved this task from Waiting for Build to Needs QA signoff on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Sep 30 2025, 3:50 PM

Catrope moved this task from Consider for future work to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.Oct 2 2025, 4:16 AM

Just FYI, the work from FY2025-26 WE4.6.2 Multiple Authenticators should now be available on the beta cluster to test as well.

Appears to be fixed on 7.8.4 (5853)

Tested on iPhone 16 on iOS 26 and iPad 12.9 on iPadOS 26. Tested with my WMF account with 2FA and Captcha.

HNordeenWMF moved this task from Ready for PM Signoff to Ready for Release on the Wikipedia-iOS-App-Backlog (Wikipedia iOS Release FY2025-26) board.Oct 21 2025, 9:38 PM

Mazevedo mentioned this in T407285: Release 7.8.4.Oct 24 2025, 4:00 PM

HNordeenWMF closed this task as Resolved.Oct 27 2025, 5:55 PM

[iOS] Add support for selectable TOTP module when logging in with MFA.Closed, ResolvedPublic3 Estimated Story PointsActions