Is there anything I can do, or is that account lost forever now? Resetting the password doesn’t work (natch). Not a huge deal, but it’s upsetting because I was modding a community from that account. Any tips/contacts would be appreciated. Cheers.

*** update: as per commenters suggesting, tried resetting password for that account once again, and I was successfully able to log in, go to my settings, then remove 2FA, and all seems good now

  • AJCxZ0@kbin.social
    link
    fedilink
    arrow-up
    21
    ·
    1 year ago

    I did the same thing on a different Lemmy instance, probably for the same reason. I just created a pull request to fix the broken instructions - pull 88.

    Nothing is lost, but I’m quite sure that the instance admin will need to disable 2FA in your account for you to regain access, however I suspect that the lemmy.world admin is going to be busy for a while due to the recent exploit.

  • ChipsAHoey@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    FWIW I found the string for 2FA if you right click open link in New window. Then you can read the string to import into an authenticator app from there. Had it generating codes but the codes wouldn’t let me login on my app so I disabled for now. Hope they can fix this in the future.

    • jard@sopuli.xyz
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      You have to set the hash algorithm to SHA256 (that’s what the URI asks for.) Apparently, Google Authenticator and anything based on that ignores the algorithm parameter, causing them to generate the wrong codes anyways.

      This Firefox plugin and Bitwarden’s TOTP are some authenticators that handle the URI correctly and generate the right codes.

      • ChipsAHoey@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Great info! I had originally imported to bitwarden but didn’t want to have all my eggs in one basket.

        • jard@sopuli.xyz
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Meh, it’s an eggs in one basket situation for me because I’m desperately waiting for more services to adopt WebAuthn. =)

  • Otherbarry@lemmy.zip
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    1 year ago

    Ah that sucks, was just talking about Lemmy’s incomplete 2FA in a different post https://lemmy.world/post/1288267

    You’re right, unlike most websites/apps using 2FA Lemmy does not display a QR code.

    You probably need to contact the admins for your Lemmy instance & see what they can do. (lemmy.world in your case)

  • DannyMac@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    I tried to enable it and it didn’t work… Luckily, I’m not locked out and was able to disable it.

  • PsychicPsquirrel@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    Same thing happened to me. The link didn’t appear on mobile. After a password reset on a desktop browser, the 2fa link appeared.

  • towerful@programming.dev
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    Always worth - whenever you change authentication settings - opening a new incognito tab and try signing in.
    If it fails, hopefully your actual tab is still authenticated so you can disable/edit

  • M1lt0n@reddthat.com
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    1 year ago

    This happened to me on my beehaw account when they first announced 2FA. The accounts are now gone for us. Just saw the edit… going to see if that works for me. I might be hosed though because I’m not sure I entered an email.

  • Kovu@lemmy.world
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    for some reason, which has to be fixed soon because it’s a huge security risk, you can log back into your account without 2fa after resetting your password via email

    • jard@sopuli.xyz
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      1 year ago

      It’s scuffed but it does work. The problem is that Lemmy hands you a TOTP Key URI directly; what you have to do is manually enter the information from that URI into an authenticator app that supports advanced parameters (you need to be able to set the issuer, hash algorithm, and secret, which are all present in the URI).

      Once you do that then the authenticator app should generate the correct TOTPs, which is what I currently have with Bitwarden. Why it’s like this instead of the normal 2FA flow everyone’s used to… nobody knows.

    • eroc1990@lemmy.parastor.net
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Can you elaborate? I’ve got it enabled and working on my personal instance running 0.18.1. Is there an authentication check that isn’t actually happening in the login flow or something?

  • 50gp@kbin.social
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    1 year ago

    tbh I’d be concerned that the devs would even think of pushing this kind of unfinished and broken feature to a live build

  • Kuro@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    FYI if this is because of the cross-site attack on Lemmy.world you should know 2FA will NOT help as the attacker accesses the JWT key directly which has already been signed in w/2FA. The only way to mitigate it is to use a native app and not the web or PWA version.