Given the recent attack, I think this is a good opportunity to remind of the importance of using 2FA.
(although it doesn’t appear to make any difference in this case as session cookies were being exploited so login credentials were not needed)
But for me at least, this event has made me go back and take another shot at setting up 2FA.
I am happy to report I finally got it working on all my Lemmy accounts/instances, so I thought I’d share some tips:
- I still haven’t figured out how to set up via desktop, use a mobile browser.
- Follow these steps:
- Check the enable 2fa box on your account settings and click Save
- A message will show about a button appearing when the page refreshes
- The button usually doesn’t appear for me at first.
- You can simply manually refresh the page at this point to make the button appear
- The button should now be visible. Click the button.
- This opens a
otpauth://
link which on a mobile device should be handled by a 2FA app if you have one installed.
- Authy does not work: It will generate a code happily but that code will not work when you try to login to your Lemmy account.
- Google Authenticator worked for me. It appears the type of TOTP code Lemmy is using is not compatible with some authenticator apps.
- I think if you can find a desktop app that registers as a provider for the
otpauth://
links it may be possible to do on desktop as well. - You can also pull the
secret=
value from the link to manually add it to an authenticator on/from desktop.
After several failed attempts previously, I finally figured out Authy was the problem and I have now secured all my Lemmy accounts with 2FA. Annoying that I have to use GA, but that appears to be an Authy issue not a Lemmy one.
2FA might not have made any difference today but it very well might in the future.
Stay safe everyone! 🔐
Is there a way to get backup codes? I enabled 2FA, but I don’t see anywhere to generate them.
I couldn’t find backup codes but I was able to perform a password reset which logged me in and let me disable or reconfigure 2fa.
Seems strange that you could remove 2FA without being forced to authenticate via 2FA first.