TL;DR: Lemmy generates SHA-256 TOTP digest which may be unsupported by some authenticator apps. https://github.com/LemmyNet/lemmy/issues/3309#issuecomment-1605259241 Thanks to this it may seem the authenticator is set up, yet it won't generate correct tokens.
When lemmy.sdf.org got updated to version 0.18.0, the first thing I did was that I set up 2FA. Or so I thought. I went to settings, checked "Set up 2-factor authentication", clicked save, and then clicked on the installation button which opened up the authenticator app I use, Cisco DUO. I saved it, and seeing that it was generating codes, I thought "Good".
Today I wanted to log into Lemmy on my laptop. I enter username and password, and get prompted for TOTP token. I take my phone and get the token from Cisco DUO authenticator, type it into the TOTP field, and it doesn't work. So I tried again, and again, and again,... I see. It doesn't work.
I went on the internet to search for the issue, and found the comment mentioned above and this request on GitHub.
Thankfully I was still logged in on my phone and I was able to remove 2FA.
Who knows, but there may already be bunch of people who won't be able to reply. Rest in peace.
Does it not ask you to enter a generated code before actually enabling it to verify that it actually works? That's weird, that's usually how it's done.
EDIT: ah yeah, that's what the bug is about.