Heads up that we’ve bumped the UI up to 0.18.2-rc.1, which should resolve the current exploit that was seen on lemmy.world.

We’ve also logged out all currently logged in users as part of it, so you’ll need to login again.

  • neb@lemmy.ca
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I went looking to re-attempt 2FA setup. After enabling it in the options, the link that for 0.18.0 would trigger an event to add it to AndOTP (instead of just providing the secret) isn’t showing up at all. (If that makes any sense in my current decaffeinated state)

    • n2burns@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      FYI, andOTP is no longer maintained, so I’d recommend switching to an alternative and there are many options. My transition to Aegis was very smooth.

      • neb@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Yeah, it’s not my primary, I just happen to still have it installed.

    • durablenapkin@lemmy.ca
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      It’s currently a little awkward, after you enable + save the first time you need to refresh the page in order to see the button which contains the otpauth:// link.

    • Shadow@lemmy.caOPM
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      I’ll take a look in a bit but might be a new bug.

      Edit: I can see the link just fine, even without deactivating it first. Can you try clearing your browser cache?

      • neb@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Weird, opening in my browser now, it’s there. (And I’ve finally figured out how to make bitwarden handle sha256.) In any case, I’m all good and properly using 2FA.

      • m-p{3}@lemmy.ca
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        1 year ago

        The link starts with otpauth://, which will likely do nothing on desktop. Either click on it from a mobile device, or on desktop you can use an addon like Offline QR Code Generator (Firefox), then right-click the link and select QR code from link. This will show a QR code you’ll be able to enroll in any TOTP app. Hopefully they’ll add an option to display a QR code when using the desktop interface in newer versions of Lemmy.

        • TheMadIrishman@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Can I copy the link it generates and put it directly into my app that handles 2FA? (1password). Thought about trying it, but I didn’t see any recovery codes and am not keen on getting locked out.

          • durablenapkin@lemmy.ca
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            1 year ago

            This worked for me in Bitwarden: note since Lemmy 2FA uses SHA256 you have to copy/paste the entire link and not just the secret token. If you copy/paste just the secret token most password managers with TOTP generation have it defaulted to SHA1.

          • grte@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Worth noting that turning on 2FA doesn’t log you out of your current session so you have the opportunity to turn it back off again if you can’t copy it over in this way.