this post was submitted on 26 Jul 2023
9 points (100.0% liked)

Lemmy Support

4656 readers
15 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 5 years ago
MODERATORS
 

Hi. I was trying to set up 2FA in my settings, where there is a button named "2FA installation link." I right clicked on the button, copied the link, and put it into a QR code generator. I scanned it with Twilio Authy on my phone to add it. To my surprise, when I tried using it to log in, the generated codes simply do not work. I have 20ish entries on Authy and they all work, with the Lemmy accounts being the outliers. I have also tested the 2FA on my other account at feddit.nl, and it doesn't work with Authy either.

So, I tried using Google Authenticator instead. I used it to scan the very same QR code, and it spits out different codes from those generated by Authy. The ones generated by GAuthenticator work, whereas the Authy ones don't work. I wonder what the issue is?

Edit: grammar

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

I believe the issue is that Lemmy expects the codes to be generated using the SHA256 algorithm, while most generator apps use SHA1.

[–] [email protected] 4 points 1 year ago (3 children)

Ahhh, thanks! After closer inspection of the link otpauth://totp/lemm.ee:randint?secret=[redacted, 64 characters]&algorithm=SHA256&issuer=lemm.ee, it does indeed specify SHA256. Looks like Authy just uses SHA1 regardless. Maybe I should switch back to GAuthenticator, but you know, Google...

[–] [email protected] 2 points 1 year ago

LastPass Authenticator can use SHA256, it works for logging in to my Lemmy instance. And you can use the app independently of LastPass, keeping everything on your device.

[–] [email protected] 2 points 1 year ago (1 children)

If twilio doesn't work but you don't want to use Google, try Aegis or Bitwarden. Both available on f-droid. For totp on Bitwarden you either need to self-host the database using vaultwarden or pay for the pro version.

[–] [email protected] 1 points 1 year ago (1 children)

Thanks for the suggestions. I already use BitWarden, but I use the free tier and sadly self-hosting is not really an option for me (for now). I decided to use Authenticator Pro as suggested by @[email protected], and I'll import the accounts maybe this weekend.

By the way I think I should clarify that I'm not a libre extremist trying to avoid everything Google (yet. maybe I'll become one in the future) I just want to slowly move away and also not start using Google services that I don't already use.

[–] [email protected] 1 points 1 year ago

Understandable, best of luck if you want move to the "libre extremist" side. It is a very liberating experience :)

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

There are some other authenticator apps out there, fully open source, offline, and that support sha256.

I found Authenticator Pro to have the best ui, but many people also use andOTP because it has more features.

[–] [email protected] 1 points 1 year ago

Thanks! I'm gonna try out Authenticator Pro.

[–] [email protected] 1 points 1 year ago (1 children)

2FA does not completely work at the moment

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Ah, ok. Thanks!

Edit: I just read the comment by @[email protected], and apparently the root cause is that Authy uses SHA1 despite the link clearly specifying SHA256. Now I wonder what you mean by 2FA doesn't completely work yet?

[–] [email protected] 2 points 1 year ago (1 children)

There has been issues on the GitHub about that, AFAIK it's still a bit buggy

[–] [email protected] 1 points 1 year ago (1 children)

I tried setting it up and almost completely lost access to my account. Sadly I'm going to wait until its properly sorted.

[–] [email protected] 1 points 1 year ago

Sorry to hear that. Maybe you can try contacting your instance admins?

load more comments
view more: next ›