18
submitted 1 year ago* (last edited 1 year ago) by Kalcifer@lemmy.world to c/nostupidquestions@lemmy.world

When I click the set up 2FA thing in the account settings I then see the following

That button contains a link with a secret key, and some other things. What am I supposed to do with it? I want to set the 2FA up to use my authenticator on my phone.

top 9 comments
sorted by: hot top controversial new old
[-] lazyvar@programming.dev 9 points 1 year ago* (last edited 1 year ago)

Current 2FA implementation in Lemmy is a bit janky with the risk of being locked out.

First things first: DO NOT UNDER ANY CIRCUMSTANCES LOG OUT UNTIL YOU’RE 100% SURE YOUR AUTHENTICATOR WORKS AND THAT YOU CAN LOGIN USING ITS GENERATED 2FA CODE

Now that that’s out of the way, here are some steps to follow:

  1. Ideally clicking on that button will open your authenticator which will then prompt you to select login credentials to attach it to; if it doesn’t and you instead are lead to a URL with a secret key or if you right click and you can copy that URL, then you need to manually copy the URL and paste it in the 2FA section of your authenticator or password manager
  2. Once you’ve figured this out don’t log out, instead open a private browser window and test to see if you can login with your credentials + 2FA

If you can’t get it to work then you can disable it in the window you’re still logged into.

If you share which authenticator you use, people might be able to give you more specific instructions to get you through step 1.

Whatever you do, don’t log out. You will be locked out!
Unlike most common implementations, there is no built in step to verify if you can successfully generate a TOTP before 2FA is fully enabled.

[-] CowboyBobo@lemdit.com 2 points 1 year ago

If you do lock your self out, reset your password and after that it will log you back in. You can disable 2fa in the settings.

[-] lazyvar@programming.dev 1 points 1 year ago

That sounds like a gaping security hole, but with how likely it is that you lock yourself out with the current 2FA implementation, I can't be mad about it.

If all else fails you could also reach out to the admin of your instance I suppose and see if they can disable 2FA on your account, but I figured it's best to avoid the headache altogether and just not log out until you're 100% the 2FA works properly.

[-] Bushwhack@lemmy.world 2 points 1 year ago

I use Memmy and used wefwef to confirm the 2FA after I setup the code in the web client. Very janky. But I guess it works?

[-] lazyvar@programming.dev 1 points 1 year ago

That's also a good way of verifying! As long as you go through the login process somewhere different than your current browser window you should be able to make sure it works properly.

[-] Monologue@lemmy.zip 5 points 1 year ago* (last edited 1 year ago)

the way 2fa works is that there is a "seed", the secret key that you mentioned. this is what will be creating the timed codes. in most applications this will be converted to a qr code for ease but you can still import it to your app of choice or use an extension to convert it to a qr code like @wigglingwalrus@lemm.ee said

if you are interested here is a good video about it

[-] JackOfAllTraits@lemmy.world 2 points 1 year ago

If the link provides a key, you should go into your 2FA app of choice and import the key. That should be about it...

[-] redcalcium@c.calciumlabs.com 1 points 1 year ago* (last edited 1 year ago)

I'm using bitwarden, so I'll just copy the 2fa installation link, then pasted it into the authenticator key field in bitwarden and done. You're going to need to have paid bitwarden subscription or self-hosted vaultwarden server in order to use bitwarden as 2FA client though.

Note that your 2FA installation link contains your 2FA secret key, so don't save it anywhere else but your password manager.

[-] WigglingWalrus@lemm.ee 1 points 1 year ago

If you click that link on your phone, it should open your 2FA app and add it. Alternatively, you can get browser extensions to convert it to a QR code and scan it like normal on your phone.

load more comments
view more: next ›
this post was submitted on 04 Jul 2023
18 points (100.0% liked)

No Stupid Questions

35764 readers
1026 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS