[Bug]: 2FA does not require a valid response to enable #3309
Comments
|
+1. Right now it also only generates a SHA256 digest TOTP, which is silently incompatible with things like Authy. Please add a verification to enable, otherwise folks are likely to get locked out. |
|
Can confirm, you can lock yourself out of your account. I clicked enable 2FA, it said to use the link to set it up, but there was no link. I thought it may have you set it up during the next login, so I logged out. I am now locked out with no way of getting back in. A verification should absolutely have happened. It shouldn't be enabled until you enter the correct code |
|
Same... Locked out even before starting using it. |
|
2FA should definitely provide backup codes when enabling it, too. I was surprised this didn't happen. |
|
So....how do we unlock ourselves, if we reloaded the page when we didn't see the 2fa link after "activating" it?? Asking for a friend..... |
If you're still logged in somewhere, go to settings and disable 2fa. |
First time signing up, unfortunately I'm not logged in elsewhere. I hope, since this is clearly a bug, that they can disable 2fa with some sort of email verification when this is fixed. |
|
Yikes.. I don't know if email can be used to reset.. maybe contact a server admin? |
|
I'll see if I can do that. Appreciate it. I'll just follow the thread as well for now. |
|
I emailed my local instances admin email, told them what happened, explained the bug and shared this GitHub page. I also shared with them this comment in case they were unfamiliar with the issue or how to fix it. I was able to get in a few hours after I emailed them. At the very least, the admins at lemmy.world know how to fix it since they did for me successfully. I also tried again to see if I missed something. I am still not seeing a link. This method really does need to be adjusted to the standard method. |
Good deal. Only, I don't know who my local instance admin would be. I'm 100% new to Lemmy. So I don't have much of a clue on how to reach out other than posting in what looked like a support forum. |
Unfortunately, it's likely going to be different for every instance. I found the contact on the instance I use (lemmy.world) by going to the LemmyWorld community. In the side bar with the community description, it stated "Any support requests are best sent to [email protected] e-mail." So I sent an email there. Perhaps you could try something similar? Other than that, it's difficult to say. Could try searching instance support posts to see if there's any contact information available. The unfortunate reality of growing pains. |
|
I thought I recall seeing someone say that they used the forgot password workflow and they were able to get in that way. Apparently you need to enter your registered email address instead of your username for that to work. May be worth a shot. |
Yeap! That worked. Interestingly, when it logged me in, 2FA was still active and I could see the initially promised button for the 2FA link. But I didn't click it. I just chose to remove 2FA. That logged me back out. But I was then able to log in without 2FA being prompted. Obviously the 2FA implementation needs some work. But I'm glad I was able to get around it while it's being looked into. Thanks, @mbentley . |
FWIW doing so logged me in and I was able to retrieve the link that never appeared. I set it up and can log in with it afterwards. |
This no longer works, at least on lemmy.world. Waiting to hear back from the world support email. |
|
I was having the same issue with Authy and Google Authenticator, but Aegis Authenticator worked for me. I'm back in my account now. |
|
I locked myself out today because I enabled 2FA by mistake together with other stuff, saved, then realized that I had enabled 2FA and disabled it, and saved again. |
|
I am experiencing this same issue, unfortunately while setting up my Lemmy instance, so I'm completely locked out. |
If it is your own instance, here are the database commands to disable 2FA for a user: |
I have seen those, but I literally don't know how to access the SQL shell of postgres. I've tried for about 3 hours now - I can't find any postgres roles (postgres does not exist, root does not exist...) when running psql on the docker postgres container. So how do I execute these commands? |
|
@Nolram12345 The matrix chat is probably a more appropriate/helpful place for general admin advice like this: https://matrix.to/#/#lemmy-support-general:discuss.online |
I have seen it, unfortunately I do not use Matrix at this point in time (and I find it incredibly confusing to even attempt to use it). But all of that is unrelated to the original issue. |
|
Happend to me to, enabled 2FA, tried to use the button but nothing happend. Copied the code from the URL into my bitwarden, logged out and was locked out... Found a way to get back in though! Hope this helps people. |
While it's good you're able to use this to get back in, this is another issue in and of itself. It entirely defeats the purpose of 2FA if you can get into the account with one authentication method. Idk if this is already a ticket, but if not it probably should be. |
|
I'm glad that this password-reset has been fixed, but the fact that 2FA still locks users out is HUGE. |
|
I managed to lock myself out, this is important. |
|
I locked myself out of lemmy.world earlier today due to this. Password reset didn't work. As others have said, a 2FA implementation that DOSes the user on logout but may be bypassed by a password reset request is dangerous at the very least. |
|
This has already been merged, it'll be in the next release. |
Requirements
Summary
2FA does not require a valid response to enable. This can lead to users getting locked out of accounts that are not able to prove they have properly configured their authenticator.
Steps to Reproduce
Technical Details
Firefox, but affects all platforms
Version
0.18.0
Lemmy Instance URL
No response
The text was updated successfully, but these errors were encountered: