this post was submitted on 07 Jul 2023
19 points (95.2% liked)

Lemmy.world Support

3220 readers
54 users here now

Lemmy.world Support

Welcome to the official Lemmy.world Support community! Post your issues or questions about Lemmy.world here.

This community is for issues related to the Lemmy World instance only. For Lemmy software requests or bug reports, please go to the Lemmy github page.

This community is subject to the rules defined here for lemmy.world.

To open a support ticket Static Badge

You can also DM https://lemmy.world/u/lwreport or email report@lemmy.world (PGP Supported) if you need to reach our directly to the admin team.

Follow us for server news ๐Ÿ˜

Outages ๐Ÿ”ฅ

https://status.lemmy.world/

founded 1 year ago
MODERATORS
ruud@lemmy.world
MrKaplan@lemmy.world
jelloeater85@lemmy.world
lwadmin@lemmy.world
Serinus@lemmy.world
19
2FA should be disabled until it is implemented properly (lemmy.world)
submitted 1 year ago* (last edited 1 year ago) by darrsil@lemmy.world to c/support@lemmy.world
17 comments fedilink hide all child comments
 

Right now, 2FA is half-baked. You can enable it and it gives you a link to sync it to an authenticator app, which only works on mobile. But there's no confirmation required to enable it, so you may think it's working with your code but it doesn't take. This will lock people out of accounts.

It really should be disabled until it's fully fleshed out. In the meantime, give us the option to send 2FA codes to the verified email on file.

UPDATE: Read this post here: https://lemmy.sdf.org/post/405431

It's clear that the Lemmy implementation of 2FA is flawed as it a) doesn't work with all authenticator apps, and b) doesn't verify the code is working before it enables 2FA on the account.

It needs to be disabled until this is fixed.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] darrsil@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

It may be an isolated incident, but it would have been avoided had Lemmy confirmed the 2FA code before enabling it on the account. Like standard practice.

Besides, this issue refutes your entire premise - that automated 2FA set up is flawless.

See this thread: https://lemmy.eus/post/190738

It's an issue with many different authenticators, and it's an issue with the way Lemmy sets up its 2FA and doesn't do a confirmation afterwards. This needs to be fixed.