It may not be wise to enable 2FA until Lemmy fixes the implementation. It's currently very easy to get permanently locked out of your account, through no fault of your own. Especially if you don't have an email address linked to your account.
Fediverse
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Rules
- Posts must be on topic.
- Be respectful of others.
- Cite the sources used for graphs and other statistics.
- Follow the general Lemmy.world rules.
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
If you are concerned, I would suggest keeping another browser/device/etc logged in when trying to enable 2FA.
Then if the 2FA activation fails, you can use that second session (which does not get logged out when you enable 2FA) to then disable it again.
For sure! But I don't think non-advanced users should be enabling 2FA right now. It's puzzling that Lemmy pushed the feature in its current state to production.
This happened to me. I was going to try it and when I saw that the option wasn't what I expected, I intended to close it, but I guess either I didn't or it's buggy because it's enabled now and there's no encryption key, so no way to login. Then the server logged everyoner out cause of the hack. This was on lemmy.world, btw, I have an account on kbin too.
I sent an email, but no word yet obviously. I'm sure they're busy.
Jeez, that sucks. Hope you get back in soon!
Got to say the fact there are no backup codes and you can reset your password and disable 2FA without confirming it's you by using your 2FA makes this protection pretty poor
Yeah it needs some love, but I still think it's better to have than not.
It's not less secure than a password alone.
that is very true
Additionally it needs QR-Code Support, Backup-Codes and disabling only after double-check of your current password.
I think the missing QR-Code is a main flaw that holds non tech savvy people back from using it at all.
2FA feels very half-baked atm.
Tried to set it up and got locked out, but apparently you can get around 2FA by simply requesting a password reset...
That seems like a massive security flaw, and essentially makes 2FA non-existent atm.
OTP doesnt work! Please keep at least 1 device logged in a browser! I almost locked me out, because the otp didnt worked.
If you paste the entire URL it gives you, bitwarden also works.
Microsoft authenticator doesnt work!
On desktop browser, you have to right-click the button and copy the link, which can then be posted into an app the takes the otpauth URI.
On desktop macOS the link just works with the built-in thing.
In 1password (probably regardless of what it's running on?), if it's not registered as a handler for the URL scheme, one can add an OTP field to the login item for lemmy manually and then copy-paste the entire setup link into the field.
Is there a way to get backup codes? I enabled 2FA, but I donβt see anywhere to generate them.
I couldn't find backup codes but I was able to perform a password reset which logged me in and let me disable or reconfigure 2fa.
Seems strange that you could remove 2FA without being forced to authenticate via 2FA first.
As far as I can tell, no. There's no backup codes and there's no "verification" of the codes when you enable it.
Also, you do not get logged out of any other sessions even if they were logged in before 2FA was enabled.
So I typically leave my desktop browser logged in as a backdoor in case something goes wrong I can use that session to re-disable 2FA.
Then once I have verified it working on mobile I will sign out the desktop browser and sign it back in with the 2FA key.
But yeah, no backup codes. Apparently an admin can disable 2FA on your account if you get locked out, or so I have heard.
You may want to add a warning to your post. For instances that don't require an email address, it's currently quite easy to get permanently locked out of your account because the code is never verified.
Thanks for the info. andOTP authenticator works perfectly.
Saw the same bug with the button not appearing until you manually refresh the page.
On iPhone it was super simple. Clicking the link opened iOSβs built in password manager, which was compatible and could generate the codes automatically.
I would like to know, how it works with the Yubikey OTP Generator. I have 2 Yubikeys and want to use the secret with both keys. Is this possible? Do somebody know something about it?
Okay I use a "workaround" with Bitwarden. Yubikeys secure Bitwarden and Bitwarden provides 2FA for Lemmy. So I can use Yubikeys for 2FA
I cant wait for email based 2 factor authentication to be implemented. Or then Authy can finally work.
Using Authenticator Pro on Android. Working well for me.
The TOTP feature in Bitwarden works, if you paste in the whole otpauth://
URI to Bitwarden's Authenticator Key (TOTP) field. The URL specifies that the hashing algorithm should be SHA256. If you just import the secret=
value into Authy, it probably defaults to using the SHA-1 algorithm, which may be why the codes generated by Authy don't work.
SHA256 is more secure than SHA-1, which I guess is why Lemmy has chosen to use it for its 2FA feature.
I look forward to the day when FIDO2 (YubiKey) and passkeys are supported.