2FA in lemmy doesn’t work reliably yet. Please don’t enable it or you will almost certainly get locked out.

Note: it makes me sad to post this.

15 points

ouch, you know its bad when a infosec Admin asks you to switch off 2fa…

permalink
report
reply
6 points
Deleted by creator
permalink
report
reply
6 points

This kinda sucks. I had enabled it awhile ago and it seems to have been working but the implementation was really odd, not requiring a verification of a code before it enabled.

permalink
report
reply
4 points
*

The 2FA process itself - both initial setup and use with an OTP provider - has worked consistently for me so far. The instruction in the interface is misleading and I’m not the only one who locked himself out as a result. The Mastodon devs merged my pull request to clarify the instruction (including my mistake of saying “oauth” instead of “otpauth”) astonishingly quickly.

If I may be constructively critical, we should expect to provide provide at least some minimal evidence to justify claims such as one that something doesn’t work, even if only as a link to discussion or evidence. This expectation increases when it’s accompanied by advice or instruction, especially when such advice is counter to advice which is generally accepted as “good”.

As @qwet@lemm.ee mentions, a more serious problem of password reset via email disabling 2FA offers a workaround for now in at least some cases.

permalink
report
reply
3 points

Once it does work, will it allow apps like authy or will I have to wait till I get a phone number?

permalink
report
reply
1 point

Even the current implementation allows Authy. It isn’t great, but if you copy/paste the link that the “2FA Activation Link” gives you? It’s an OTP link you should be able to paste it right in the TOTP secret field. Bitwarden has the capability, I’d be surprised if Authy couldn’t parse that link.

permalink
report
parent
reply
0 points

You really don’t have a phone number? If so maybe you can try this https://voice.google.com/u/0/calls

permalink
report
parent
reply
4 points

Some of us care about privacy and don’t want to give out our numbers willy nilly

permalink
report
parent
reply
2 points

That isn’t why for me. I’m broke and unless you actively work to remove your number from databases and whatever… that kind of privacy is an illusion.

permalink
report
parent
reply
1 point

Looked at that a bit ago. Requires a phone number to verify.

permalink
report
parent
reply

Discussions related to Infosec.pub

!infosecpub@infosec.pub

Create post

Community stats

  • 66

    Monthly active users

  • 77

    Posts

  • 251

    Comments

Community moderators