YSK: Lemmy offers TOTP as a 2FA option

otherbarry, 11 months ago

Admins yes. But maybe regular users should avoid Lemmy’s 2FA implementation for now (unless they have lots of experience with this).

With the current implementation it’s way too easy for an average user to attempt to get this set up & get themselves locked out of their own Lemmy account.

• Lemmy doesn’t display a QR code like every other website/app using 2FA
• Lemmy doesn’t force the user to successfully test that the 2FA is working before saving the changes
• Lemmy doesn’t give the user any backup codes, unclear what the procedure is if you don’t have a backup code, lose your 2FA device and need to reset
• Lemmy’s 2FA implementation is SHA256, not all 2FA apps support that (e.g. I tried adding this to both Google Authenticator and andOTP and came out with 2 different 2FA codes, maybe because Google’s app doesn’t support SHA256)

In the end I got nervous & was unsure which if any of my apps were working with Lemmy’s 2FA so disabled it for now. It’ll get better in a future update, just saying be careful going through the current setup.

memfree, 11 months ago

me, reads: Lemmy (from Motorhead) offers Top of the Pops a two F-k-All option

me visualizes the 2-fingered bird getting offered to the old music show

dampfnudel, 11 months ago

This made me laugh

csm10495, 11 months ago

Also please test that it works before logging out. If it doesn’t work, disable it immediately.

For me 2FA on Lemmy is busted since it only supports an obscure version of TOTP that nothing I use (authy, Google auth, etc) supports.

There are various GitHub issues filed related to TOTP usability and Lemmy.

adam, 11 months ago

Lemmy supports true standard totp. Those apps listed are the obscure ones, they do their own wacky shit with the standards

csm10495, 11 months ago (edited 11 months ago)

I disagree. Per RFC, only SHA1 needs to be supported. These apps support SHA1.

Lemmy is using SHA256 which ‘may’ not ‘must’ be supported per RFC.

The standard is SHA1… it is a ‘must be supported’. Every other website I use TOTP with works with all these apps. Lemmy is the outliar via using SHA256.

Edit to add RFC reference:

<pre style="background-color:#ffffff;">
<span style="color:#323232;">As defined in [RFC4226], the HOTP algorithm is based on the
</span><span style="color:#323232;">   HMAC-SHA-1 algorithm (as specified in [RFC2104]) and applied to an
</span><span style="color:#323232;">   increasing counter value representing the message in the HMAC
</span><span style="color:#323232;">   computation.
</span><span style="color:#323232;">
</span><span style="color:#323232;">...
</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
</span><span style="color:#323232;">   based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the
</span><span style="color:#323232;">   HMAC-SHA-1 function that has been specified for the HOTP computation
</span><span style="color:#323232;">   in [RFC4226].
</span>

In: datatracker.ietf.org/doc/html/rfc6238

baronvonj, 11 months ago

The implementation doesn’t verify that you can generate valid tokens before updating your account and doesn’t give you any backup recovery tokens.

adam, 11 months ago

I agree with that

UnfortunateShort, 11 months ago

Lmao, Authy and Google Authenticator are probably among the most popular 2FA apps around

adam, 11 months ago (edited 11 months ago)

“Embrace, Extend, Extinguish”

Fuck Google