24
2FA should be disabled until it is implemented properly
(lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 07 Jul 2023
24 points (96.2% liked)
Lemmy.world Support
3140 readers
3 users here now
Lemmy.world Support
Welcome to the official Lemmy.world Support community! Post your issues or questions about Lemmy.world here.
This community is for issues related to the Lemmy World instance only. For Lemmy software requests or bug reports, please go to the Lemmy github page.
This community is subject to the rules defined here for lemmy.world.
To open a support ticket
Follow us for server news 🐘
Outages 🔥
https://status.lemmy.world
founded 1 year ago
MODERATORS
No complaints here, Seemless integration of both password & 2FA with iCloud keychain!
Except you didn't confirm your 2FA codes to enable 2FA. You also don't have backup codes you can download.
It may have worked for you, but that doesn't mean it's working properly.
In iOS, the activation of 2FA is an automated process, eliminating the need for a separate 2FA code to confirm its enablement.
I agree with your observation regarding the unavailability of backup codes for download.
It may be automated on the OS end, but does it confirm back with the website to make sure the codes are the same?
You can easily verify if 2FA is set up correctly during your next login. I'm having trouble identifying the problem in this situation.
Because you want to verify 2FA is set up correctly before you log in again. What if it isn't, and now you're locked out of your account with no backup code?
I'm starting to suspect that you haven't experienced the convenience of automated 2FA key implementation. Instead of scanning a QR code, the website automatically prompts and opens your password manager to insert and set up the 2FA verification key.
This streamlined process not only saves time but also enhances security by eliminating any potential man-in-the-middle attack, as the website itself takes care of the necessary steps.
I highly recommend trying it sometime as it offers a remarkably seamless and secure experience.
That doesn't address the issue. Yeah, that makes setting up a code easy on your device - but the code still should be verified and confirmed as working by the website before 2FA is enabled on the account.
Case in point: I used your revered "automated 2FA key implementation" for Lemmy in Authy. It set up the account in my Authy list, and 2FA was supposed to be working. I opened an icognito tab, went to log in, put in my 2FA code and... it didn't work.
Luckily, I still had my settings open in my other window and was able to deactivate 2FA.
The code should be tested and confirmed by the site before it's enabled. Otherwise you can easily get locked out of your account. This is standard practice when implementing 2FA on websites.
It appears to be an isolated incident, and I suspect that Authy software might be the cause.
I’ve utilized automated 2FA with three different instances and have successfully logged back into them multiple times without any issues using 2FA codes. Have you considered trying a different 2FA code manager instead of Authy?
It may be an isolated incident, but it would have been avoided had Lemmy confirmed the 2FA code before enabling it on the account. Like standard practice.
Besides, this issue refutes your entire premise - that automated 2FA set up is flawless.
See this thread: https://lemmy.eus/post/190738
It's an issue with many different authenticators, and it's an issue with the way Lemmy sets up its 2FA and doesn't do a confirmation afterwards. This needs to be fixed.