Yeah, the Lemmy 2FA implementation sucks. It only works in certain authenticators - Authy not being one of them. Google Authenticator does work and apparently so does the iOS keychain (but can't confirm that one).

Best way to do it is to enable it and set it up but keep the settings window open, then open a separate incognito window and try to log in. If your 2FA code doesn't work, go back to the other settings window and disable it.

I'm surprised I haven't seen more posts yet about this. A rogue or compromised admin put JavaScript redirects on Lemmy.world as well as changed the name and some other things. The other admins removed the compromised admin, but then about 30 minutes later they were reinstated and started wreaking havoc again. The instance eventually went offline completely.

It works, but it's half-assed. The way Lemmy sets it up only works on a portion of authenticators, and ones like Authy isn't one of them. Then it also doesn't have a confirmation before enabling it, so you may think it's working but then get locked out of your account when you can't log in next time around.

The best way to test it is to enable 2FA and set up the code, but keep your Lemmy settings open. Then open an incognito window and see if you can log in using the 2FA code. If you can't, go back to the settings window and disable 2FA.

Ah, didn't realize they were already defederated. Still, admins should be on the lookout for an attack on Beehaw.