Using pc, via browser (Firefox fork).

Tried the new 2FA option in settings, but it just gives a weird link that my browser cannot open.

How does 2FA work here? (My email, steam login, &etc, 2FA methods send a text message to my phone with a code to input into the website. Easy peasy.)

I’m quite technical, so my best guess is that this 2FA method is aimed at smartphone apps.

ps, Greetings to all. & thanks @Tom for creating a UK feddit.

*edit (as comments aren't working for me yet)* ~ Thank you @GreatAlbatross for the detailed explanation. Good thing I hit "disable 2FA" after the failed attempt. 
~ So, best to NOT use it for now (via PC). ~

Growing pains indeed. More testing required for that feature. 
(Also TOTP = "top of the pops" to a brit, hehe.)
  • GreatAlbatross@feddit.ukM
    link
    fedilink
    English
    arrow-up
    6
    ·
    edit-2
    1 year ago

    I promised to help with this once it was available, so I will post up here. Feel free to share the post if it’s helpful. I may edit later, I just wanted to get this up quickly.

    First up: Don’t activate TOTP until you are ready, and understand what it’s doing.

    I just experimented with it, and it is immediately activated, without any sort of validation that you are generating valid codes. (This is not good design)
    This is important, as if you activate it, don’t manage to get it working, then log out…You won’t be able to log in…And Tom will have a very busy weekend resetting accounts!
    I hate that I had to add this caveat, as it should be a foolproof process. Maybe 18.2 will tidy it up :)

    For this instance of Lemmy, a SHA256 TOTP token is used (yay, top of the pops…)

    TOTP stands for Timed One Time Password. When it is activated on a service, an secret string is generated.
    This is imported into an application or device using TOTP. When you want to log in, it uses the secret, plus the current time, to generate a code, which authenticates you.

    In this instance, when you click activate, it gives you a TOTP link.
    If you have a TOTP 2FA app installed (for example, Google Authenticator), this should open, and prompt you to save the secret string.
    (Often, systems will generate a QR code, which TOTP apps can also use) If it does not, take the link, and copy out the string of data between secret= and &algorithm.
    Enter your TOTP app of choice, add a new account, set the username to something memorable/useful, put the string in the secret box, set the algorithm to SHA256, and save.

    Open a new private tab, and test by logging in, using the code.
    If it doesn’t work, you can try again.
    Just do not log out of your account without either proving it’s working, or disabling it!

    Apps that can do TOTP: For now, I’ll just share Google Authenticator:

    Play Store Link

    Open-source fork for very privacy minded people

    If you want to use a hardware token, Token2 do nice ones, varying from electronic generators, to USB keys that reveal your codes through an app when you boop them.

    Edit: Good news, the issues are logged.

    2FA not requiring a check before being used: https://github.com/LemmyNet/lemmy/issues/3309 (Duplicate with lots of discussion: https://github.com/LemmyNet/lemmy/issues/3325 )

    2FA QR code generation: https://github.com/LemmyNet/lemmy-ui/issues/1544

    This is just my personal take, but this will definitely be a growing pain for Lemmy.
    People are going to activate this, and get locked out, a LOT until those fixes go in.
    Defaulting to SHA256 is a bit of a classic “why don’t we make it as secure as possible” moment: Lots of TOTP apps don’t support it.