[Bug]: 2FA does not require a valid response to enable

[dudeami0]

Requirements

• [X] Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
• [X] Did you check to see if this issue already exists?
• [X] Is this only a single bug? Do not put multiple bugs in one issue.
• [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

2FA does not require a valid response to enable. This can lead to users getting locked out of accounts that are not able to prove they have properly configured their authenticator.

Steps to Reproduce

1. Setup 2FA
2. Logout without setting up 2FA successfully (but really don't do this)

Technical Details

Firefox, but affects all platforms

Version

0.18.0

Lemmy Instance URL

No response

[csm10495]

+1. Right now it also only generates a SHA256 digest TOTP, which is silently incompatible with things like Authy. Please add a verification to enable, otherwise folks are likely to get locked out.

[Bazoogle]

Can confirm, you can lock yourself out of your account. I clicked enable 2FA, it said to use the link to set it up, but there was no link. I thought it may have you set it up during the next login, so I logged out. I am now locked out with no way of getting back in. A verification should absolutely have happened. It shouldn't be enabled until you enter the correct code

[vlefevre86]

Same... Locked out even before starting using it.

[pixiekat]

2FA should definitely provide backup codes when enabling it, too. I was surprised this didn't happen.

[perelx]

So....how do we unlock ourselves, if we reloaded the page when we didn't see the 2fa link after "activating" it?? Asking for a friend.....

[csm10495]

So....how do we unlock ourselves, if we reloaded the page when we didn't see the 2fa link after "activating" it?? Asking for a friend.....

If you're still logged in somewhere, go to settings and disable 2fa.

[perelx]

So....how do we unlock ourselves, if we reloaded the page when we didn't see the 2fa link after "activating" it?? Asking for a friend.....

If you're still logged in somewhere, go to settings and disable 2fa.

First time signing up, unfortunately I'm not logged in elsewhere.

I hope, since this is clearly a bug, that they can disable 2fa with some sort of email verification when this is fixed.

[csm10495]

Yikes.. I don't know if email can be used to reset.. maybe contact a server admin?

[perelx]

I'll see if I can do that. Appreciate it. I'll just follow the thread as well for now.

[Bazoogle]

I emailed my local instances admin email, told them what happened, explained the bug and shared this GitHub page. I also shared with them this comment in case they were unfamiliar with the issue or how to fix it. I was able to get in a few hours after I emailed them. At the very least, the admins at lemmy.world know how to fix it since they did for me successfully.

I also tried again to see if I missed something. I am still not seeing a link. This method really does need to be adjusted to the standard method.

[perelx]

I emailed my local instances admin email, told them what happened, explained the bug and shared this GitHub page. I also shared with them this comment in case they were unfamiliar with the issue or how to fix it. I was able to get in a few hours after I emailed them. At the very least, the admins at lemmy.world know how to fix it since they did for me successfully.

I also tried again to see if I missed something. I am still not seeing a link. This method really does need to be adjusted to the standard method.

Good deal. Only, I don't know who my local instance admin would be. I'm 100% new to Lemmy. So I don't have much of a clue on how to reach out other than posting in what looked like a support forum.

[Bazoogle]

Good deal. Only, I don't know who my local instance admin would be. I'm 100% new to Lemmy. So I don't have much of a clue on how to reach out other than posting in what looked like a support forum.

Unfortunately, it's likely going to be different for every instance. I found the contact on the instance I use (lemmy.world) by going to the LemmyWorld community. In the side bar with the community description, it stated "Any support requests are best sent to [email protected] e-mail." So I sent an email there. Perhaps you could try something similar? Other than that, it's difficult to say. Could try searching instance support posts to see if there's any contact information available. The unfortunate reality of growing pains.

[mbentley]

I thought I recall seeing someone say that they used the forgot password workflow and they were able to get in that way. Apparently you need to enter your registered email address instead of your username for that to work. May be worth a shot.

[perelx]

I thought I recall seeing someone say that they used the forgot password workflow and they were able to get in that way. Apparently you need to enter your registered email address instead of your username for that to work. May be worth a shot.

Yeap! That worked. Interestingly, when it logged me in, 2FA was still active and I could see the initially promised button for the 2FA link. But I didn't click it. I just chose to remove 2FA. That logged me back out. But I was then able to log in without 2FA being prompted.

Obviously the 2FA implementation needs some work. But I'm glad I was able to get around it while it's being looked into.

Thanks, @mbentley .

[jmontleon]

I thought I recall seeing someone say that they used the forgot password workflow and they were able to get in that way. Apparently you need to enter your registered email address instead of your username for that to work. May be worth a shot.

FWIW doing so logged me in and I was able to retrieve the link that never appeared. I set it up and can log in with it afterwards.

[BryceDMonaco]

I thought I recall seeing someone say that they used the forgot password workflow and they were able to get in that way. Apparently you need to enter your registered email address instead of your username for that to work. May be worth a shot.

This no longer works, at least on lemmy.world. Waiting to hear back from the world support email.

[nvadave]

I was having the same issue with Authy and Google Authenticator, but Aegis Authenticator worked for me. I'm back in my account now.

[adancau]

I locked myself out today because I enabled 2FA by mistake together with other stuff, saved, then realized that I had enabled 2FA and disabled it, and saved again. Now I'm locked out of my account because it still asks for 2FA, even if I disabled it. This is on lemmy.world. Resetting the password as suggested above doesn't work. Now what?

[Nolram12345]

I am experiencing this same issue, unfortunately while setting up my Lemmy instance, so I'm completely locked out.

[BryceDMonaco]

I am experiencing this same issue, unfortunately while setting up my Lemmy instance, so I'm completely locked out.

If it is your own instance, here are the database commands to disable 2FA for a user:

https://github.com/LemmyNet/lemmy/issues/3325#issuecomment-1605732490

[Nolram12345]

I am experiencing this same issue, unfortunately while setting up my Lemmy instance, so I'm completely locked out.

If it is your own instance, here are the database commands to disable 2FA for a user:

#3325 (comment)

I have seen those, but I literally don't know how to access the SQL shell of postgres. I've tried for about 3 hours now - I can't find any postgres roles (postgres does not exist, root does not exist...) when running psql on the docker postgres container.

So how do I execute these commands?

[baodrate]

@Nolram12345 The matrix chat is probably a more appropriate/helpful place for general admin advice like this: https://matrix.to/#/#lemmy-support-general:discuss.online

[Nolram12345]

@Nolram12345 The matrix chat is probably a more appropriate/helpful place for general admin advice like this: https://matrix.to/#/#lemmy-support-general:discuss.online

I have seen it, unfortunately I do not use Matrix at this point in time (and I find it incredibly confusing to even attempt to use it).

But all of that is unrelated to the original issue. I think there should probably be an easier way or documented workaround for cases of account lockout due to the faulty 2FA system.

[jonny-379]

Happend to me to, enabled 2FA, tried to use the button but nothing happend. Copied the code from the URL into my bitwarden, logged out and was locked out...

Found a way to get back in though! Was thinking, since the 2FA is badly implemented maybe a password reset will help, :thinking: noway, oh well lets try. When you reset your password you are logged into your account and can disable 2FA.

Hope this helps people.

[Bazoogle]

When you reset your password you are logged into your account and can disable 2FA.

While it's good you're able to use this to get back in, this is another issue in and of itself. It entirely defeats the purpose of 2FA if you can get into the account with one authentication method. Idk if this is already a ticket, but if not it probably should be.

[Nolram12345]

I'm glad that this password-reset has been fixed, but the fact that 2FA still locks users out is HUGE.

[ptman]

I managed to lock myself out, this is important.

[jdrch]

I locked myself out of lemmy.world earlier today due to this. Password reset didn't work. As others have said, a 2FA implementation that DOSes the user on logout but may be bypassed by a password reset request is dangerous at the very least.

[dessalines]

This has already been merged, it'll be in the next release.