If you are an Admin of a Lemmy instance, please use it to help secure your account!

  • csm10495@sh.itjust.works
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    Also please test that it works before logging out. If it doesn’t work, disable it immediately.

    For me 2FA on Lemmy is busted since it only supports an obscure version of TOTP that nothing I use (authy, Google auth, etc) supports.

    There are various GitHub issues filed related to TOTP usability and Lemmy.

    • Adam@lemmy.adambowl.es
      link
      fedilink
      arrow-up
      2
      arrow-down
      3
      ·
      1 year ago

      Lemmy supports true standard totp. Those apps listed are the obscure ones, they do their own wacky shit with the standards

      • csm10495@sh.itjust.works
        link
        fedilink
        arrow-up
        8
        ·
        edit-2
        1 year ago

        I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.

        Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.

        The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.

        Edit to add RFC reference:

        As defined in [RFC4226], the HOTP algorithm is based on the
           HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
           increasing counter value representing the message in the HMAC
           computation.
        
        ...
        
        
        TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
           based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
           HMAC-SHA-1 function that has been specified for the HOTP computation
           in [RFC4226].
        

        In: https://datatracker.ietf.org/doc/html/rfc6238

      • Baron Von J@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        The implementation doesn’t verify that you can generate valid tokens before updating your account and doesn’t give you any backup recovery tokens.