2FA in lemmy doesn’t work reliably yet. Please don’t enable it or you will almost certainly get locked out.

Note: it makes me sad to post this.

  • Sysosmaster
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    ouch, you know its bad when a infosec Admin asks you to switch off 2fa…

  • garrett
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    This kinda sucks. I had enabled it awhile ago and it seems to have been working but the implementation was really odd, not requiring a verification of a code before it enabled.

  • Andrew J. Caines
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    The 2FA process itself - both initial setup and use with an OTP provider - has worked consistently for me so far. The instruction in the interface is misleading and I’m not the only one who locked himself out as a result. The Mastodon devs merged my pull request to clarify the instruction (including my mistake of saying “oauth” instead of “otpauth”) astonishingly quickly.

    If I may be constructively critical, we should expect to provide provide at least some minimal evidence to justify claims such as one that something doesn’t work, even if only as a link to discussion or evidence. This expectation increases when it’s accompanied by advice or instruction, especially when such advice is counter to advice which is generally accepted as “good”.

    As @qwet@lemm.ee mentions, a more serious problem of password reset via email disabling 2FA offers a workaround for now in at least some cases.

  • alex_02
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Once it does work, will it allow apps like authy or will I have to wait till I get a phone number?

    • Vertana
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Even the current implementation allows Authy. It isn’t great, but if you copy/paste the link that the “2FA Activation Link” gives you? It’s an OTP link you should be able to paste it right in the TOTP secret field. Bitwarden has the capability, I’d be surprised if Authy couldn’t parse that link.

        • alex_02
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          That isn’t why for me. I’m broke and unless you actively work to remove your number from databases and whatever… that kind of privacy is an illusion.

      • alex_02
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Looked at that a bit ago. Requires a phone number to verify.

  • zanyllama52
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I wonder if a different implementation of 2FA will come about from this…

    • TeamAssimilation
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      They should look towards Mastodon, their TOTP implementation is flawless.

  • Zikeji@programming.dev
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I haven’t had any 2FA issues since signing up. Aside from one of the third party apps not supporting it. I’m using Bitwarden to generate the 2FA tokens.

  • himazawa
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Ahaha I had this exact same experience. Locked out because bitwarden didn’t get the code correctly. “Luckily” the jwt token never expires so I was able to log back in without the 2FA.

  • Offlein@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    21
    ·
    edit-2
    1 year ago

    “…Also, we’re having some issues with your passwords so please everyone just post those here along with social security numbers if you’re American, thanks!”

    • bh11235
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I have never in my life seen a more concise demonstration of the adage, “without a threat model there can be no security, only paranoia”