2FA in lemmy doesn’t work reliably yet. Please don’t enable it or you will almost certainly get locked out.

Note: it makes me sad to post this.

  • Andrew J. Caines@infosec.pub
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    The 2FA process itself - both initial setup and use with an OTP provider - has worked consistently for me so far. The instruction in the interface is misleading and I’m not the only one who locked himself out as a result. The Mastodon devs merged my pull request to clarify the instruction (including my mistake of saying “oauth” instead of “otpauth”) astonishingly quickly.

    If I may be constructively critical, we should expect to provide provide at least some minimal evidence to justify claims such as one that something doesn’t work, even if only as a link to discussion or evidence. This expectation increases when it’s accompanied by advice or instruction, especially when such advice is counter to advice which is generally accepted as “good”.

    As @[email protected] mentions, a more serious problem of password reset via email disabling 2FA offers a workaround for now in at least some cases.