Admins yes. But maybe regular users should avoid Lemmy’s 2FA implementation for now (unless they have lots of experience with this).
With the current implementation it’s way too easy for an average user to attempt to get this set up & get themselves locked out of their own Lemmy account.
Lemmy doesn’t display a QR code like every other website/app using 2FA
Lemmy doesn’t force the user to successfully test that the 2FA is working before saving the changes
Lemmy doesn’t give the user any backup codes, unclear what the procedure is if you don’t have a backup code, lose your 2FA device and need to reset
Lemmy’s 2FA implementation is SHA256, not all 2FA apps support that (e.g. I tried adding this to both Google Authenticator and andOTP and came out with 2 different 2FA codes, maybe because Google’s app doesn’t support SHA256)
In the end I got nervous & was unsure which if any of my apps were working with Lemmy’s 2FA so disabled it for now. It’ll get better in a future update, just saying be careful going through the current setup.
Admins yes. But maybe regular users should avoid Lemmy’s 2FA implementation for now (unless they have lots of experience with this).
With the current implementation it’s way too easy for an average user to attempt to get this set up & get themselves locked out of their own Lemmy account.
In the end I got nervous & was unsure which if any of my apps were working with Lemmy’s 2FA so disabled it for now. It’ll get better in a future update, just saying be careful going through the current setup.
I use Bitwarden and was surprised that it supported Lemmy’s 2FA implementation. I tested it in incognito so I could undo it if needed.