TL;DR: Lemmy generates SHA-256 TOTP digest which may be unsupported by some authenticator apps. https://github.com/LemmyNet/lemmy/issues/3309#issuecomment-1605259241 Thanks to this it may seem the authenticator is set up, yet it won’t generate correct tokens.

When lemmy.sdf.org got updated to version 0.18.0, the first thing I did was that I set up 2FA. Or so I thought. I went to settings, checked “Set up 2-factor authentication”, clicked save, and then clicked on the installation button which opened up the authenticator app I use, Cisco DUO. I saved it, and seeing that it was generating codes, I thought “Good”.
Today I wanted to log into Lemmy on my laptop. I enter username and password, and get prompted for TOTP token. I take my phone and get the token from Cisco DUO authenticator, type it into the TOTP field, and it doesn’t work. So I tried again, and again, and again,… I see. It doesn’t work.
I went on the internet to search for the issue, and found the comment mentioned above and this request on GitHub.
Thankfully I was still logged in on my phone and I was able to remove 2FA.

Who knows, but there may already be bunch of people who won’t be able to reply. Rest in peace.

  • 2xsaiko
    link
    fedilink
    English
    4
    edit-2
    1 year ago

    Does it not ask you to enter a generated code before actually enabling it to verify that it actually works? That’s weird, that’s usually how it’s done.

    EDIT: ah yeah, that’s what the bug is about.