How could 2FA be disabled if you need 2FA in order to login to disable it and my free OTP+ is biometric protected?

  • asudox
    shield
    M
    link
    13 months ago

    Locking as this question violates rule 5.

  • @MrKaplanA
    link
    English
    93 months ago

    This was unfortunately an error on our end.

    Please bear with us while we work on resolving this situation.

    • @MrKaplanA
      link
      English
      3
      edit-2
      3 months ago

      2FA has been restored for all LW users that had it enabled before and didn’t reactivate it on their own since.

      There will be an announcement posted later on explaining what happened.

      edit: announcement is out: https://lemmy.world/post/18503967

  • Scrubbles
    link
    fedilink
    English
    43 months ago

    ITT OP learns that 2FA is just a token stored on a server, and that server is in control by other people

    • LightscriptionOP
      link
      13 months ago

      This is what I thought. I keep telling people they don’t exclusively own their passwords / security tokens once they give it to a site. Salted hashes to obscure the pw don’t even matter since the admin could also bypass that. Tanks for the validation.

      • Prison Mike
        link
        fedilink
        33 months ago

        And you better pray the website owner (websites in general, not Lemmy specifically) at least hashes your password.

        • LightscriptionOP
          link
          23 months ago

          yes, the more layers of security, the better, even if it is just a futile matter of time to consume the time of an ATP.

  • Dark Arc
    link
    fedilink
    English
    2
    edit-2
    3 months ago

    Going to need a lot more context than that.

    I’m sure site admins could just clear the 2FA field if they wanted. Would they? IDK, probably not unless they had good reason.

    Could someone steal your session information and disable your 2FA with that? Yeah, but I doubt they did, you’d have to have your system compromised or some kind of cross site scripting.

    Did you use any shady lemmy clients?

    etc

    • LightscriptionOP
      link
      13 months ago

      No, nothing shady. Just was notified there was a mistake on the server end. Perhaps tmi to elaborate…

  • @[email protected]
    link
    fedilink
    23 months ago

    The server owner has complete control of your account.

    They could very easily take control completely if they want.

    • LightscriptionOP
      link
      23 months ago

      This is what I thought. I keep telling people they don’t exclusively own their passwords / security tokens once they give it to a site.

      If I shared encrypted info that I kept encrypted, I guess it would still be mine but no one could then read it.