Given the recent attack, I think this is a good opportunity to remind of the importance of using 2FA.
(although it doesn’t appear to make any difference in this case as session cookies were being exploited so login credentials were not needed)
But for me at least, this event has made me go back and take another shot at setting up 2FA.
I am happy to report I finally got it working on all my Lemmy accounts/instances, so I thought I’d share some tips:
I still haven’t figured out how to set up via desktop, use a mobile browser.
Follow these steps:
Check the enable 2fa box on your account settings and click Save
A message will show about a button appearing when the page refreshes
The button usually doesn’t appear for me at first.
You can simply manually refresh the page at this point to make the button appear
The button should now be visible. Click the button.
This opens a otpauth:// link which on a mobile device should be handled by a 2FA app if you have one installed.
Authy does not work: It will generate a code happily but that code will not work when you try to login to your Lemmy account.
Google Authenticator worked for me. It appears the type of TOTP code Lemmy is using is not compatible with some authenticator apps.
I think if you can find a desktop app that registers as a provider for the otpauth:// links it may be possible to do on desktop as well.
You can also pull the secret= value from the link to manually add it to an authenticator on/from desktop.
After several failed attempts previously, I finally figured out Authy was the problem and I have now secured all my Lemmy accounts with 2FA. Annoying that I have to use GA, but that appears to be an Authy issue not a Lemmy one.
2FA might not have made any difference today but it very well might in the future.
Got to say the fact there are no backup codes and you can reset your password and disable 2FA without confirming it’s you by using your 2FA makes this protection pretty poor
As far as I can tell, no. There’s no backup codes and there’s no “verification” of the codes when you enable it.
Also, you do not get logged out of any other sessions even if they were logged in before 2FA was enabled.
So I typically leave my desktop browser logged in as a backdoor in case something goes wrong I can use that session to re-disable 2FA.
Then once I have verified it working on mobile I will sign out the desktop browser and sign it back in with the 2FA key.
But yeah, no backup codes. Apparently an admin can disable 2FA on your account if you get locked out, or so I have heard.
You may want to add a warning to your post. For instances that don’t require an email address, it’s currently quite easy to get permanently locked out of your account because the code is never verified.
On desktop macOS the link just works with the built-in thing.
In 1password (probably regardless of what it’s running on?), if it’s not registered as a handler for the URL scheme, one can add an OTP field to the login item for lemmy manually and then copy-paste the entire setup link into the field.
I would like to know, how it works with the Yubikey OTP Generator. I have 2 Yubikeys and want to use the secret with both keys. Is this possible? Do somebody know something about it?
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
A community to talk about the Fediverse and all it’s related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to [email protected]!
Rules
Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Microsoft authenticator doesnt work!
OTP doesnt work! Please keep at least 1 device logged in a browser! I almost locked me out, because the otp didnt worked.
deleted by creator
Got to say the fact there are no backup codes and you can reset your password and disable 2FA without confirming it’s you by using your 2FA makes this protection pretty poor
Yeah it needs some love, but I still think it’s better to have than not.
It’s not less secure than a password alone.
that is very true
If you paste the entire URL it gives you, bitwarden also works.
Additionally it needs QR-Code Support, Backup-Codes and disabling only after double-check of your current password.
I think the missing QR-Code is a main flaw that holds non tech savvy people back from using it at all.
2FA feels very half-baked atm.
Tried to set it up and got locked out, but apparently you can get around 2FA by simply requesting a password reset…
That seems like a massive security flaw, and essentially makes 2FA non-existent atm.
Is there a way to get backup codes? I enabled 2FA, but I don’t see anywhere to generate them.
As far as I can tell, no. There’s no backup codes and there’s no “verification” of the codes when you enable it.
Also, you do not get logged out of any other sessions even if they were logged in before 2FA was enabled.
So I typically leave my desktop browser logged in as a backdoor in case something goes wrong I can use that session to re-disable 2FA.
Then once I have verified it working on mobile I will sign out the desktop browser and sign it back in with the 2FA key.
But yeah, no backup codes. Apparently an admin can disable 2FA on your account if you get locked out, or so I have heard.
You may want to add a warning to your post. For instances that don’t require an email address, it’s currently quite easy to get permanently locked out of your account because the code is never verified.
I couldn’t find backup codes but I was able to perform a password reset which logged me in and let me disable or reconfigure 2fa.
Seems strange that you could remove 2FA without being forced to authenticate via 2FA first.
Thanks for the info. andOTP authenticator works perfectly.
On desktop browser, you have to right-click the button and copy the link, which can then be posted into an app the takes the otpauth URI.
Aegis worked well as a 2fa app for me.
On desktop macOS the link just works with the built-in thing.
In 1password (probably regardless of what it’s running on?), if it’s not registered as a handler for the URL scheme, one can add an OTP field to the login item for lemmy manually and then copy-paste the entire setup link into the field.
I cant wait for email based 2 factor authentication to be implemented. Or then Authy can finally work.
I look forward to the day when FIDO2 (YubiKey) and passkeys are supported.
I would like to know, how it works with the Yubikey OTP Generator. I have 2 Yubikeys and want to use the secret with both keys. Is this possible? Do somebody know something about it?
Okay I use a “workaround” with Bitwarden. Yubikeys secure Bitwarden and Bitwarden provides 2FA for Lemmy. So I can use Yubikeys for 2FA