2FA in lemmy doesn’t work reliably yet. Please don’t enable it or you will almost certainly get locked out.

Note: it makes me sad to post this.

  • himazawa@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Ahaha I had this exact same experience. Locked out because bitwarden didn’t get the code correctly. “Luckily” the jwt token never expires so I was able to log back in without the 2FA.

  • Andrew J. Caines@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    The 2FA process itself - both initial setup and use with an OTP provider - has worked consistently for me so far. The instruction in the interface is misleading and I’m not the only one who locked himself out as a result. The Mastodon devs merged my pull request to clarify the instruction (including my mistake of saying “oauth” instead of “otpauth”) astonishingly quickly.

    If I may be constructively critical, we should expect to provide provide at least some minimal evidence to justify claims such as one that something doesn’t work, even if only as a link to discussion or evidence. This expectation increases when it’s accompanied by advice or instruction, especially when such advice is counter to advice which is generally accepted as “good”.

    As @qwet@lemm.ee mentions, a more serious problem of password reset via email disabling 2FA offers a workaround for now in at least some cases.

  • alex_02@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Once it does work, will it allow apps like authy or will I have to wait till I get a phone number?

  • Offlein@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    edit-2
    1 year ago

    “…Also, we’re having some issues with your passwords so please everyone just post those here along with social security numbers if you’re American, thanks!”

    • bh11235@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I have never in my life seen a more concise demonstration of the adage, “without a threat model there can be no security, only paranoia”