[-] darrsil@beehaw.org 15 points 1 year ago

Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can't confirm that one).

Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn't work, go back to the other settings window and disable it.

[-] darrsil@beehaw.org 27 points 1 year ago

I'm surprised I haven't seen more posts yet about this. A rogue or compromised admin put JavaScript redirects on Lemmy.world as well as changed the name and some other things. The other admins removed the compromised admin, but then about 30 minutes later they were reinstated and started wreaking havoc again. The instance eventually went offline completely.

[-] darrsil@beehaw.org 7 points 1 year ago

It works, but it's half-assed. The way Lemmy sets it up only works on a portion of authenticators, and ones like Authy isn't one of them. Then it also doesn't have a confirmation before enabling it, so you may think it's working but then get locked out of your account when you can't log in next time around.

The best way to test it is to enable 2FA and set up the code, but keep your Lemmy settings open. Then open an incognito window and see if you can log in using the 2FA code. If you can't, go back to the settings window and disable 2FA.

[-] darrsil@beehaw.org 21 points 1 year ago

Ah, didn't realize they were already defederated. Still, admins should be on the lookout for an attack on Beehaw.

173
submitted 1 year ago by darrsil@beehaw.org to c/support@beehaw.org

I would be cautious about viewing any Lemmy.world communities right now, and the Beehaw admins should make sure their credentials are locked down in case they get targeted next.

darrsil

joined 1 year ago