this post was submitted on 29 Jun 2023
23 points (96.0% liked)

Lemmy

523 readers
16 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
[email protected]
23
Warning: If you set up 2FA on Lemmy, it's possible it doesn't work. Make sure to verify it works for you. (lemmy.sdf.org)
submitted 1 year ago by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
 

TL;DR: Lemmy generates SHA-256 TOTP digest which may be unsupported by some authenticator apps. https://github.com/LemmyNet/lemmy/issues/3309#issuecomment-1605259241 Thanks to this it may seem the authenticator is set up, yet it won't generate correct tokens.

When lemmy.sdf.org got updated to version 0.18.0, the first thing I did was that I set up 2FA. Or so I thought. I went to settings, checked "Set up 2-factor authentication", clicked save, and then clicked on the installation button which opened up the authenticator app I use, Cisco DUO. I saved it, and seeing that it was generating codes, I thought "Good".
Today I wanted to log into Lemmy on my laptop. I enter username and password, and get prompted for TOTP token. I take my phone and get the token from Cisco DUO authenticator, type it into the TOTP field, and it doesn't work. So I tried again, and again, and again,... I see. It doesn't work.
I went on the internet to search for the issue, and found the comment mentioned above and this request on GitHub.
Thankfully I was still logged in on my phone and I was able to remove 2FA.

Who knows, but there may already be bunch of people who won't be able to reply. Rest in peace.

top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 year ago (1 children)

Even more strange is the use of DUO voluntarily. Can I ask why? I'm guessing work or a limited OpenVPN setup?

[–] [email protected] 1 points 1 year ago

Originally I just wanted to set up 2FA on NetAcad and this is what they recommended, and I liked the UI more than Google Authenticator.

It works, and allows backups. Since I originally wanted to use it just for NetAcad, I didn't care. And I still don't see any problems with it. Or, well, now I do.

[–] [email protected] 3 points 1 year ago

Thanks for sharing! Strange that it didn’t require a TOTP code to enable the 2FA. Most services verify that the users 2FA mechanism works before enabling it.

[–] [email protected] 1 points 1 year ago

Authenticator Pro works fine but Microsoft Authenticator doesn't.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Does it not ask you to enter a generated code before actually enabling it to verify that it actually works? That's weird, that's usually how it's done.

EDIT: ah yeah, that's what the bug is about.

[–] httpjames 1 points 1 year ago

1Password supports this format

load more comments
view more: next ›