Hey everyone, still on the iOS train for the time being, and want to enable 2FA for my Lemmy account. Currently the way this is done, it gives a link and that link default opens in Keychain, however I want to add the token to 2FAS. Anyone know how to do this?

  • m-p{3}A
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    9 months ago

    Copy the link on the 2FA installation link button in your Lemmy account settings and put in the secret= value inside the Secret Key (required) field of 2FAS (heads up, it’s going to be fairly long), and under additional info you need to change the Algorithm to SHA256. Everything else stays the same.

    Another way would be to use an addon (ex: on Firefox) to generate a QR code from your desktop browser by right-clicking the 2FA installation link and clicking QR code from link, then scan the QR code into 2FAS.

    Always make sure you have a backup of your 2FAS data, either local or cloud-based.

  • Dsklnsadog@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    4
    ·
    9 months ago

    Can we agree that the 2FA is terrible implemented here in lemmy?

    Also U2F would be nice. I don’t know, security must be number 1 priority when you design a social network.

    • Rootiest@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      I don’t think this is Lemmy’s fault.

      All they did was use the more secure SHA256 algorithm.

      AFAIK this issue is the result of 2FA apps not properly setting the algorithm as specified (or in some cases not even supporting it)

  • Sean@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    9 months ago

    If you copy the link does it start with top otpauth:// or something like it? You may be able to copy that link, go into your 2FA app & paste that in, or parse out the Secret part to paste in.

  • cheese_greater@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    Not that it applies here, but I’ve run into situations where even when copying the secret in text form and importing it didn’t end up working.

    What does almost always work is taking a photo of the screen showing the QR with another device and then using the current device to scan the QR on the other screen. Obviously you need another device with a decent camera but there you have it.

    • Em Adespoton
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      On iOS you can just screenshot the code and open it in photos, and have it work from there just like from the camera.

      And for me, when 2fa is needed, I enter my u/p, and then Lemmy says authentication failed and it presents me with u/p/2fa, which all get auto-populated by keychain.

      • cheese_greater@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        9 months ago

        I’ll just warn you that if you use Apple’s keychain, you are vulnerable to all of the various zero-click zero-day nonsense that’s been in the news. Like, obv you’re unlikely to be specifically targeted but when you use Apple stock stuff, you’re vulnerable to all that. Its becoming more likely that this is intentional as a backdoor to all the other protections that get touted.

        Orher password managers allow for the possibillity of keyfiles and 2FA so I would reevaluate if you can. You are not “safe” and at some point one of these hacks are going to hit mainstream à la Lastpass and I just want to make sure you’re pre-warned.

        At the very least, get your ass on Lockdown mode since it invalidates these attacks, for the most part and as far as we know. Also disable iMessage and Facetime if possible

        • alcyoneous@midwest.social
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Any source for it as a back door? I hadn’t heard anything about that nor did a quick internet search turn up anything.

          • cheese_greater@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            That’s technically conjecture but iMessage and WebKit and iCloud Calendar have had zero-day after zero-day zero-click exploits because they don’t sandbox properly. And when it gets exploited , it goes to the very root of your phone. Its gets them everything as opposed to 3rd party messengers like Signal or Whatsapp that are limited to their own secured sandbox

            This has happened over and over again and iMessage is often the common denominator, as it was most recently. At a certain point, you have to wonder if something thats turned on by default (opt-out) that uses your number and where you can’t block unknown numbers from sending you shit isnt that backdoor that was requested years ago and likely persistently even now. Also your messages are likely full readable by Apple since iCloudBackup helpfully includes a key alongside it for easy decryption