this post was submitted on 29 Jun 2023
32 points (97.1% liked)

Lemmy

2172 readers
83 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
[email protected]
32
Warning: If you set up 2FA on Lemmy, it's possible it doesn't work. Make sure to verify it works for you. (lemmy.sdf.org)
submitted 1 year ago by [email protected] to c/[email protected]
9 comments fedilink hide all child comments
 

TL;DR: Lemmy generates SHA-256 TOTP digest which may be unsupported by some authenticator apps. https://github.com/LemmyNet/lemmy/issues/3309#issuecomment-1605259241 Thanks to this it may seem the authenticator is set up, yet it won't generate correct tokens.

When lemmy.sdf.org got updated to version 0.18.0, the first thing I did was that I set up 2FA. Or so I thought. I went to settings, checked "Set up 2-factor authentication", clicked save, and then clicked on the installation button which opened up the authenticator app I use, Cisco DUO. I saved it, and seeing that it was generating codes, I thought "Good".
Today I wanted to log into Lemmy on my laptop. I enter username and password, and get prompted for TOTP token. I take my phone and get the token from Cisco DUO authenticator, type it into the TOTP field, and it doesn't work. So I tried again, and again, and again,... I see. It doesn't work.
I went on the internet to search for the issue, and found the comment mentioned above and this request on GitHub.
Thankfully I was still logged in on my phone and I was able to remove 2FA.

Who knows, but there may already be bunch of people who won't be able to reply. Rest in peace.

top 8 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 1 year ago

Thanks for sharing! Strange that it didn’t require a TOTP code to enable the 2FA. Most services verify that the users 2FA mechanism works before enabling it.

[–] [email protected] 6 points 1 year ago (1 children)

Even more strange is the use of DUO voluntarily. Can I ask why? I'm guessing work or a limited OpenVPN setup?

[–] [email protected] 1 points 1 year ago

Originally I just wanted to set up 2FA on NetAcad and this is what they recommended, and I liked the UI more than Google Authenticator.

It works, and allows backups. Since I originally wanted to use it just for NetAcad, I didn't care. And I still don't see any problems with it. Or, well, now I do.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Does it not ask you to enter a generated code before actually enabling it to verify that it actually works? That's weird, that's usually how it's done.

EDIT: ah yeah, that's what the bug is about.

[–] [email protected] 3 points 1 year ago

Authenticator Pro works fine but Microsoft Authenticator doesn't.

[–] darrsil 2 points 1 year ago

Yeah, this just happened to me with Authy. Doesn't work with Authy, but it does work with Google Authenticator.

The fact that Lemmy doesn't require you to confirm the 2FA code before enabling it on your account is nuts. This needs to be fixed.

[–] dvdnet90 1 points 1 year ago

Aegis and Raivo works btw

[–] [email protected] 1 points 1 year ago

1Password supports this format

load more comments
view more: next ›