Right now, 2FA is half-baked. You can enable it and it gives you a link to sync it to an authenticator app, which only works on mobile. But there’s no confirmation required to enable it, so you may think it’s working with your code but it doesn’t take. This will lock people out of accounts.

It really should be disabled until it’s fully fleshed out. In the meantime, give us the option to send 2FA codes to the verified email on file.

UPDATE: Read this post here: https://lemmy.sdf.org/post/405431

It’s clear that the Lemmy implementation of 2FA is flawed as it a) doesn’t work with all authenticator apps, and b) doesn’t verify the code is working before it enables 2FA on the account.

It needs to be disabled until this is fixed.

  • MxWarp@lemmy.ca
    link
    fedilink
    arrow-up
    0
    arrow-down
    1
    ·
    1 year ago

    No complaints here, Seemless integration of both password & 2FA with iCloud keychain!

    • darrsil@lemmy.worldOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Except you didn’t confirm your 2FA codes to enable 2FA. You also don’t have backup codes you can download.

      It may have worked for you, but that doesn’t mean it’s working properly.

      • MxWarp@lemmy.ca
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        In iOS, the activation of 2FA is an automated process, eliminating the need for a separate 2FA code to confirm its enablement.

        I agree with your observation regarding the unavailability of backup codes for download.

        • darrsil@lemmy.worldOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          It may be automated on the OS end, but does it confirm back with the website to make sure the codes are the same?

          • MxWarp@lemmy.ca
            link
            fedilink
            arrow-up
            0
            arrow-down
            1
            ·
            1 year ago

            You can easily verify if 2FA is set up correctly during your next login. I’m having trouble identifying the problem in this situation.

            • darrsil@lemmy.worldOP
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Because you want to verify 2FA is set up correctly before you log in again. What if it isn’t, and now you’re locked out of your account with no backup code?

              • MxWarp@lemmy.ca
                link
                fedilink
                arrow-up
                0
                arrow-down
                2
                ·
                1 year ago

                I’m starting to suspect that you haven’t experienced the convenience of automated 2FA key implementation. Instead of scanning a QR code, the website automatically prompts and opens your password manager to insert and set up the 2FA verification key.

                This streamlined process not only saves time but also enhances security by eliminating any potential man-in-the-middle attack, as the website itself takes care of the necessary steps.

                I highly recommend trying it sometime as it offers a remarkably seamless and secure experience.

                • darrsil@lemmy.worldOP
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  edit-2
                  1 year ago

                  That doesn’t address the issue. Yeah, that makes setting up a code easy on your device - but the code still should be verified and confirmed as working by the website before 2FA is enabled on the account.

                  Case in point: I used your revered “automated 2FA key implementation” for Lemmy in Authy. It set up the account in my Authy list, and 2FA was supposed to be working. I opened an icognito tab, went to log in, put in my 2FA code and… it didn’t work.

                  Luckily, I still had my settings open in my other window and was able to deactivate 2FA.

                  The code should be tested and confirmed by the site before it’s enabled. Otherwise you can easily get locked out of your account. This is standard practice when implementing 2FA on websites.