Right now, 2FA is half-baked. You can enable it and it gives you a link to sync it to an authenticator app, which only works on mobile. But there’s no confirmation required to enable it, so you may think it’s working with your code but it doesn’t take. This will lock people out of accounts.

It really should be disabled until it’s fully fleshed out. In the meantime, give us the option to send 2FA codes to the verified email on file.

UPDATE: Read this post here: https://lemmy.sdf.org/post/405431

It’s clear that the Lemmy implementation of 2FA is flawed as it a) doesn’t work with all authenticator apps, and b) doesn’t verify the code is working before it enables 2FA on the account.

It needs to be disabled until this is fixed.

  • darrsil@lemmy.worldOP
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    1 year ago

    That doesn’t address the issue. Yeah, that makes setting up a code easy on your device - but the code still should be verified and confirmed as working by the website before 2FA is enabled on the account.

    Case in point: I used your revered “automated 2FA key implementation” for Lemmy in Authy. It set up the account in my Authy list, and 2FA was supposed to be working. I opened an icognito tab, went to log in, put in my 2FA code and… it didn’t work.

    Luckily, I still had my settings open in my other window and was able to deactivate 2FA.

    The code should be tested and confirmed by the site before it’s enabled. Otherwise you can easily get locked out of your account. This is standard practice when implementing 2FA on websites.

    • MxWarp@lemmy.ca
      link
      fedilink
      arrow-up
      1
      arrow-down
      3
      ·
      1 year ago

      It appears to be an isolated incident, and I suspect that Authy software might be the cause.

      I’ve utilized automated 2FA with three different instances and have successfully logged back into them multiple times without any issues using 2FA codes. Have you considered trying a different 2FA code manager instead of Authy?

      • darrsil@lemmy.worldOP
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        1 year ago

        It may be an isolated incident, but it would have been avoided had Lemmy confirmed the 2FA code before enabling it on the account. Like standard practice.

        Besides, this issue refutes your entire premise - that automated 2FA set up is flawless.

        See this thread: https://lemmy.eus/post/190738

        It’s an issue with many different authenticators, and it’s an issue with the way Lemmy sets up its 2FA and doesn’t do a confirmation afterwards. This needs to be fixed.