TL;DR: Lemmy generates SHA-256 TOTP digest which may be unsupported by some authenticator apps. https://github.com/LemmyNet/lemmy/issues/3309#issuecomment-1605259241 Thanks to this it may seem the authenticator is set up, yet it won’t generate correct tokens.

When lemmy.sdf.org got updated to version 0.18.0, the first thing I did was that I set up 2FA. Or so I thought. I went to settings, checked “Set up 2-factor authentication”, clicked save, and then clicked on the installation button which opened up the authenticator app I use, Cisco DUO. I saved it, and seeing that it was generating codes, I thought “Good”.
Today I wanted to log into Lemmy on my laptop. I enter username and password, and get prompted for TOTP token. I take my phone and get the token from Cisco DUO authenticator, type it into the TOTP field, and it doesn’t work. So I tried again, and again, and again,… I see. It doesn’t work.
I went on the internet to search for the issue, and found the comment mentioned above and this request on GitHub.
Thankfully I was still logged in on my phone and I was able to remove 2FA.

Who knows, but there may already be bunch of people who won’t be able to reply. Rest in peace.

  • @[email protected]
    link
    fedilink
    English
    71 year ago

    Thanks for sharing! Strange that it didn’t require a TOTP code to enable the 2FA. Most services verify that the users 2FA mechanism works before enabling it.

  • fmstrat
    link
    fedilink
    English
    61 year ago

    Even more strange is the use of DUO voluntarily. Can I ask why? I’m guessing work or a limited OpenVPN setup?

    • u/lukmly013 💾 (lemmy.sdf.org)OP
      link
      fedilink
      English
      11 year ago

      Originally I just wanted to set up 2FA on NetAcad and this is what they recommended, and I liked the UI more than Google Authenticator.

      It works, and allows backups. Since I originally wanted to use it just for NetAcad, I didn’t care. And I still don’t see any problems with it. Or, well, now I do.

  • 2xsaiko
    link
    fedilink
    English
    4
    edit-2
    1 year ago

    Does it not ask you to enter a generated code before actually enabling it to verify that it actually works? That’s weird, that’s usually how it’s done.

    EDIT: ah yeah, that’s what the bug is about.

  • @darrsil
    link
    English
    21 year ago

    Yeah, this just happened to me with Authy. Doesn’t work with Authy, but it does work with Google Authenticator.

    The fact that Lemmy doesn’t require you to confirm the 2FA code before enabling it on your account is nuts. This needs to be fixed.

  • @dvdnet90
    link
    English
    11 year ago

    Aegis and Raivo works btw