Page MenuHomePhabricator
Create Task
Maniphest T409768

Standardize 2FA terminology usage across docs and UI
Closed, ResolvedPublic
Actions

Description

Over time, the terms we use for authenticator types/methods and our related systems have evolved. To improve the clarity and consistency of documentation, we should define which terms to use for a given concept, and update docs to use those preferred terms consistently.

So far, I've identified the following terms in need of standardization: https://meta.wikimedia.org/wiki/User:TBurmeister_(WMF)/Sandbox/Account_security_glossary

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
UI: Update copy to use preferred termsmediawiki/extensions/WebAuthnmaster+6 -6
wikimediaoverrides: Update WebAuthn and OATHAuth copymediawiki/extensions/WikimediaMessagesmaster+3 -3
wikimediaoverrides: Update OATHAuth copymediawiki/extensions/WikimediaMessagesmaster+2 -2
UI: Standardize terminology and improve copymediawiki/extensions/OATHAuthREL1_45+9 -9
UI: Standardize terminology and improve copymediawiki/extensions/OATHAuthmaster+9 -9
Customize query in gerrit

Related Objects
Search...

Event Timeline

TBurmeister created this task.Nov 10 2025, 6:07 PM
TBurmeister renamed this task from Standardize 2FA terminology usage across docs to Standardize 2FA terminology usage across docs and UI.
TBurmeister changed the task status from Open to In Progress.
TBurmeister triaged this task as Low priority.
Tgr added a comment.EditedNov 11 2025, 5:17 PM

We send out one-time verification codes via email via the EmailAuth extension when the user does not have 2FA setup (and some other conditions about the login attempt are fulfilled) so calling the TOTP codes verification codes might be confusing. Maybe "authenticator app verification codes" vs. "email verification codes"? A bit long though.

Security keys are a subclass of passkeys. (If you want to be very technical about it, passkeys are credentials used for WebAuthn login, which might come from security keys or other sources, and most security keys can be used in other ways than WebAuthn. But probably better to be simple than super accurate.)

Passkeys can be used a single factor for login; Wikimedia sites currently don't support this, but AIUI it's in the plans. So we might want to consider avoiding the term "2FA" as much as we can.

U2F is probably unhelpful outside of technical documentation, and not that relevant in technical documentation - it's an outdated standard that, for most purposes, has been replaced by WebAuthn and CTAP (and CTAP is about the communication between the browser and the authenticator device which we don't interfere with, so mostly we just need to talk about WebAuthn). Security keys are sometimes called U2F compatible or such, but I think these days this is uncommon and technical docs just refer to WebAuthn (or maybe FIDO2 which is the official name of WebAuthn + CTAP taken together, but also not used much).

TBurmeister added subscribers: KieranMcCann-WMF, EMill-WMF, Reedy.Nov 12 2025, 5:31 PM

Thank you @Tgr! For posterity and easier tracking, I'm also adding here feedback from others that I received via WMF Slack:

From @EMill-WMF:

  • Re: "Don't use for "authentication device" or "2FA device"; this refers to the device on which your authenticator app is installed.": this is not right. "2FA device" could reasonably be used to describe a security key, or (soon) a device-bound passkey. "authentication device" is an unusual phrase but could be used similarly
  • "authenticator app" is what I would go with for what can be registered to support TOTP (+1 from @KieranMcCann-WMF)

From @Reedy:

gerritbot added a comment.Nov 17 2025, 5:58 PM

Change #1206427 had a related patch set uploaded (by Triciaburmeister; author: Triciaburmeister):

[mediawiki/extensions/OATHAuth@master] UI: Standardize terminology and improve copy

https://gerrit.wikimedia.org/r/1206427

gerritbot added a project: Patch-For-Review.Nov 17 2025, 5:58 PM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Nov 17 2025, 10:58 PM
gerritbot added a comment.Nov 20 2025, 5:36 PM

Change #1206427 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] UI: Standardize terminology and improve copy

https://gerrit.wikimedia.org/r/1206427

gerritbot added a comment.Nov 20 2025, 5:49 PM

Change #1207924 had a related patch set uploaded (by Reedy; author: Triciaburmeister):

[mediawiki/extensions/OATHAuth@REL1_45] UI: Standardize terminology and improve copy

https://gerrit.wikimedia.org/r/1207924

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.4; 2025-11-25).Nov 20 2025, 6:00 PM
gerritbot added a comment.Nov 20 2025, 6:18 PM

Change #1207924 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_45] UI: Standardize terminology and improve copy

https://gerrit.wikimedia.org/r/1207924

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2025, 6:31 PM
TBurmeister closed this task as Resolved.Nov 20 2025, 6:48 PM

I have updated or checked the 2FA terminology on various pages (listed below) and will use the preferred terms in my ongoing rewrite of Help:Two-factor_authentication.

List of pages checked and (wherever possible) updated for terminology consistency:

I did not update the following pages because that will require some engagement with the en wiki community, which will be coordinated after Help:Two-factor_authentication is fully updated and this quarter's development work is complete:

TBurmeister moved this task from Backlog to Done on the Tech-Docs-Team board.Nov 20 2025, 8:19 PM
gerritbot added a comment.Dec 2 2025, 9:28 PM

Change #1214157 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/WikimediaMessages@master] wikimediaoverrides: Update OATHAuth copy

https://gerrit.wikimedia.org/r/1214157

gerritbot added a project: Patch-For-Review.Dec 2 2025, 9:28 PM
gerritbot added a comment.Dec 3 2025, 12:06 AM

Change #1214157 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] wikimediaoverrides: Update OATHAuth copy

https://gerrit.wikimedia.org/r/1214157

Maintenance_bot removed a project: Patch-For-Review.Dec 3 2025, 12:31 AM
ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.7; 2025-12-16); removed MW-1.46-notes (1.46.0-wmf.4; 2025-11-25).Dec 3 2025, 1:00 AM
gerritbot added a comment.Dec 3 2025, 3:39 PM

Change #1214544 had a related patch set uploaded (by Triciaburmeister; author: Triciaburmeister):

[mediawiki/extensions/WikimediaMessages@master] wikimediaoverrides: Update WebAuthn and OATHAuth copy

https://gerrit.wikimedia.org/r/1214544

gerritbot added a project: Patch-For-Review.Dec 3 2025, 3:39 PM
gerritbot added a comment.Dec 3 2025, 9:00 PM

Change #1214544 abandoned by Triciaburmeister:

[mediawiki/extensions/WikimediaMessages@master] wikimediaoverrides: Update WebAuthn and OATHAuth copy

Reason:

Making these changes in the WebAuthn extension instead

https://gerrit.wikimedia.org/r/1214544

gerritbot added a comment.Dec 3 2025, 9:05 PM

Change #1214643 had a related patch set uploaded (by Triciaburmeister; author: Triciaburmeister):

[mediawiki/extensions/WebAuthn@master] UI: Update copy to use preferred terms

https://gerrit.wikimedia.org/r/1214643

gerritbot added a comment.Dec 13 2025, 12:10 AM

Change #1214643 merged by jenkins-bot:

[mediawiki/extensions/WebAuthn@master] UI: Update copy to use preferred terms

https://gerrit.wikimedia.org/r/1214643

Maintenance_bot removed a project: Patch-For-Review.Dec 13 2025, 12:30 AM
IKhitron mentioned this in T413701: ReleaseTaggerBot is down for three weeks.Jan 6 2026, 12:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits