TL;DR: Lemmy generates SHA-256 TOTP digest which may be unsupported by some authenticator apps. https://github.com/LemmyNet/lemmy/issues/3309#issuecomment-1605259241 Thanks to this it may seem the authenticator is set up, yet it won’t generate correct tokens.

When lemmy.sdf.org got updated to version 0.18.0, the first thing I did was that I set up 2FA. Or so I thought. I went to settings, checked “Set up 2-factor authentication”, clicked save, and then clicked on the installation button which opened up the authenticator app I use, Cisco DUO. I saved it, and seeing that it was generating codes, I thought “Good”.
Today I wanted to log into Lemmy on my laptop. I enter username and password, and get prompted for TOTP token. I take my phone and get the token from Cisco DUO authenticator, type it into the TOTP field, and it doesn’t work. So I tried again, and again, and again,… I see. It doesn’t work.
I went on the internet to search for the issue, and found the comment mentioned above and this request on GitHub.
Thankfully I was still logged in on my phone and I was able to remove 2FA.

Who knows, but there may already be bunch of people who won’t be able to reply. Rest in peace.

  • Roy
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    Thanks for sharing! Strange that it didn’t require a TOTP code to enable the 2FA. Most services verify that the users 2FA mechanism works before enabling it.

  • fmstrat@lemmy.nowsci.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Even more strange is the use of DUO voluntarily. Can I ask why? I’m guessing work or a limited OpenVPN setup?

    • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Originally I just wanted to set up 2FA on NetAcad and this is what they recommended, and I liked the UI more than Google Authenticator.

      It works, and allows backups. Since I originally wanted to use it just for NetAcad, I didn’t care. And I still don’t see any problems with it. Or, well, now I do.

  • 2xsaiko@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Does it not ask you to enter a generated code before actually enabling it to verify that it actually works? That’s weird, that’s usually how it’s done.

    EDIT: ah yeah, that’s what the bug is about.

  • darrsil@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Yeah, this just happened to me with Authy. Doesn’t work with Authy, but it does work with Google Authenticator.

    The fact that Lemmy doesn’t require you to confirm the 2FA code before enabling it on your account is nuts. This needs to be fixed.