People are getting locked out because of 2FA

[kartikynwa]

Requirements

• [X] Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
• [X] Did you check to see if this issue already exists?
• [X] Is this only a feature request? Do not put multiple feature requests in one issue.
• [X] Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Is your proposal related to a problem?

When people are turning on 2FA, they get the URI for TOTP generation and 2FA is locked in. If people don't know what to do with this URI they get locked out of their account. I have seen two instances of this personally.

Describe the solution you'd like.

What other services do is ask the user to generate a TOTP using the QR code or URI and verify it before locking in 2FA configuration.

Describe alternatives you've considered.

I really think this is the most sensible solution.

Additional context

No response

[XtremeOwnageDotCom]

I can confirm, I did enable 2FA after updating to 0.18.

After noticing the option for 2FA, I enabled it, copied the code, and placed into my authenticator app.

Afterwhich, I opened my site in a new incognito browser, and attempted to test the 2FA login. After noticing it failed to properly authenticate the 2FA code, I WAS able to go and disable 2FA, however-

#1544 is already opened in lemmy-ui to implement a QR-code.

As well, it would be a very good idea for the UI to require a valid 2FA code, before saving the 2FA configuration, to prevent users from being locked out.

[XtremeOwnageDotCom]

I went ahead and opened the above ticket in lemmy-ui, to require a validated 2FA code, before 2FA is enabled. That should resolve this issue.

[RocketDerp]

Please, anyone have SQL statements to share to repair broken users, to turn it off for them? Thank you.

[kartikynwa]

@RocketDerp

UPDATE local_user lu
SET totp_2fa_url=NULL, totp_2fa_secret=NULL
FROM person p
WHERE lu.person_id=p.id AND p.name='username'

I am typing from phone so just double check the query first.

[XtremeOwnageDotCom]

@RocketDerp

Above query is correct. Just verified since I have pgAdmin pulled up.

UPDATE local_user
SET
    totp_2fa_secret = null
    , totp_2fa_url = null
WHERE 
    id = 1

[techno156]

As an addition, would it make sense to also generate a set of backup codes for the user? That way, they wouldn't be locked out of the account if they lose access to 2FA, or accidentally close the window before verifying.

[NettoHikari]

Just to chime in here: I tried the generated secret in Bitwarden, which is what I use to generate TOTP tokens on the desktop and Lemmy wouldn't accept the generated tokens. So is this feature actually broken or did anyone enable 2FA successfully?

[RocketDerp]

Does the enterprise.lemmy.ml server have 2FA enabled for testing?

[techno156]

Does the enterprise.lemmy.ml server have 2FA enabled for testing?

That might be something to ask the server, rather than putting it here.

[kartikynwa]

@RocketDerp since it is running 0.18.0 it should have 2fa

[dudeami0]

Just to chime in here: I tried the generated secret in Bitwarden, which is what I use to generate TOTP tokens on the desktop and Lemmy wouldn't accept the generated tokens. So is this feature actually broken or did anyone enable 2FA successfully?

I was unable to generate a successful code using the Authenticator app on Ubuntu as well. I double checked the server time and my local time synced, so I don't think that was the issue.

[swmarks]

My TOTP tokens work fine from Aegis. One thing I'd be curious about is if people who are having issues are using the correct hash function in their auth app. I know the vast majority of TOTP tokens use SHA1 (i.e. I have over a dozen and literally all of my keys are SHA1 except for Lemmy). Lemmy uses SHA256, so if your OTP authenticator app doesn't support it or you didn't set your hash function to be SHA256 (instead of the likely default SHA1), that could be causing problems.

[dudeami0]

My TOTP tokens work fine from Aegis. One thing I'd be curious about is if people who are having issues are using the correct hash function in their auth app. I know the vast majority of TOTP tokens use SHA1 (i.e. I have over a dozen and literally all of my keys are SHA1 except for Lemmy). Lemmy uses SHA256, so if your OTP authenticator app doesn't support it or you didn't set your hash function to be SHA256 (instead of the likely default SHA1), that could be causing problems.

I was curious if this was the case. The default Authenticator app on Ubuntu is pretty simplistic, and I found no way to set the algorithms or get it to load the link that is generated. Maybe it would be best to default to SHA1 and provide the alternatives (SHA256 and SHA512 as described in RFC 6238) since SHA1 seems to be industry standard and secure for TOTP usage:

• Wikipedia HMAC-based OTP stating "A cryptographic hash method H (default is SHA-1)"
• RFC 4226 Appendix B.2 "The new attacks on SHA-1 have no impact on the security of HMAC-SHA-1."
• Crypto Stackexchange
• Wikipedia HMAC Security.

[dessalines]

I agree verifying it would be good. I had no idea authenticator apps wouldn't be smart enough to detect the SHA version in use. I just tested with two auth apps on android and they both worked.

[kartikynwa]

The URI can have ?algorithm=SHA256 param to specify the algorithm.

[swmarks]

The URI can have ?algorithm=SHA256 param to specify the algorithm.

The URI provided by lemmy-ui actually does have that param, it just appears that it either isn't working properly when loading into people's auth app or SHA256 may not be supported in their app or something along those lines.

[wpuckering]

The URI can have ?algorithm=SHA256 param to specify the algorithm.

The URI provided by lemmy-ui actually does have that param, it just appears that it either isn't working properly when loading into people's auth app or SHA256 may not be supported in their app or something along those lines.

Bitwarden as one example does not support anything except for SHA-1 for TOTP.

[swmarks]

The URI can have ?algorithm=SHA256 param to specify the algorithm.

The URI provided by lemmy-ui actually does have that param, it just appears that it either isn't working properly when loading into people's auth app or SHA256 may not be supported in their app or something along those lines.

Bitwarden as one example does not support anything except for SHA-1 for TOTP.

It's interesting you mention Bitwarden because I actually looked into that one and it looks like it should support SHA256...

But it's possible it's not importing the URI correctly. I haven't tried it myself even though I use Bitwarden for passwords because I think it's important for security not to store OTP's in the same place as passwords.

[dudeami0]

This is probably due to the wording in RFC 6238:

TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].

Supporting SHA-256 and SHA-512 being a "MAY" instead of "MUST" indicates that TOTP can only support SHA-1 and be compliant, at least based on this standard.

[wpuckering]

I stand corrected on Bitwarden only supporting SHA-1. It does in fact support the other algorithms, but only if you input the entire otpauth://totp/ URI into the Authenticator Secret field, not just the actual secret itself. Seems like it requires that in order to know which algorithm to use.

I just tried it and it works perfectly.

[swmarks]

This is probably due to the wording in RFC 6238:

TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226].

Supporting SHA-256 and SHA-512 being a "MAY" instead of "MUST" indicates that TOTP can only support SHA-1 and be compliant, at least based on this standard.

True, the way I read it is that you're not non-compliant with the spec if your server or client don't support the higher level algorithms. They're allowed by the spec, not required by it.

[dudeami0]

I looked at the source for OTP in the Gnome Authenticator app and found it uses the pyotp package but only uses the default SHA-1 algorithm, with no means to change it. This and other implementations such as this (if they exist) are the only argument I can think of for defaulting to SHA-1.

[Nutomic]

Duplicate of #3309

[romelsalwi]

I've locked out myself after setting up 2FA. I still have the URL generated with me but I think I've misconfigured it on keepassxc.

I have selected the correct algo (SHA256) but keepassxc additionally asks for "time step" and "code size".

It would be nice to verify 2FA while setting it up.

[deception-andpitfalls]

Got locked up after signing up in the instance mentioned below, enabled 2FA but the link didn't appear after the page reloaded & couldn't be disabled.

Can a countermeasure be implemented such as allowing the user to disable it while in the first session?

https://lemmy.blahaj.zone

Just to be clear it didn't happen with other instances.

[romelsalwi]

Got locked up after signing up in the instance mentioned below, enabled 2FA but the link didn't appear after the page reloaded & couldn't be disabled.

Can a countermeasure be implemented such as allowing the user to disable it while in the first session?

https://lemmy.blahaj.zone

Just to be clear it didn't happen with other instances.

if you used an email, you can disable 2FA after generating a new password for the account.

[deception-andpitfalls]

Got locked up after signing up in the instance mentioned below, enabled 2FA but the link didn't appear after the page reloaded & couldn't be disabled.

Can a countermeasure be implemented such as allowing the user to disable it while in the first session?

https://lemmy.blahaj.zone

Just to be clear it didn't happen with other instances.

if you used an email, you can disable 2FA after generating a new password for the account.

Didn't know that, thanks for taking the time to reply.

[BryceDMonaco]

Got locked up after signing up in the instance mentioned below, enabled 2FA but the link didn't appear after the page reloaded & couldn't be disabled. Can a countermeasure be implemented such as allowing the user to disable it while in the first session? https://lemmy.blahaj.zone Just to be clear it didn't happen with other instances.

if you used an email, you can disable 2FA after generating a new password for the account.

This did not work on lemmy.world when I tried today. Maybe something was disabled related to the breach they had earlier today/last night.

[stark1tty]

Locked out using Authy today. The weird thing is it seemed to work before...

[XtremeOwnageDotCom]

IF only there was a Simple Solution to keep people from getting locked out.....

[bmeulmeester]

I got locked out of my lemmy.world account because of this weird implementation after which I was unable to log back into my account. What I did to get back in was request a password reset using the "Forgot password" link on the login page. After resetting my password with my existing password (which you could also consider a security flaw) I got logged in and was able to remove the 2FA from my account.

[adancau]

I locked myself out today because I enabled 2FA by mistake together with other stuff, saved, then realized that I had enabled 2FA and disabled it, and saved again. Now I'm locked out of my account because it still asks for 2FA, even if I disabled it. This is on lemmy.world. Resetting the password as suggested above doesn't work. Now what?

[TC68]

I have the same problem as @adancau

[lprell]

Yep. Can confirm this. Locked out after enabling 2FA , "nothing happens" on the main page (at least nothing changed that I immediatelly could see), disabled 2FA just in case. Next login asks for 2FA...

[gitwittidbit]

UPDATE local_user SET totp_2fa_secret = null , totp_2fa_url = null WHERE id = 1

Thanks for this!

Unfortunately, I seem to be too stupid to pull this off...

I enter the Postgres docker container, start psql using the username and database name with which the database was set up, open the editor, type in the above commands and close the editor again. psql executes the commands but when I try to login, I am still being asked for the 2fa code...

Any idea what I might be doing wrong? (I'm on 0.18.3)

[techno156]

UPDATE local_user SET totp_2fa_secret = null , totp_2fa_url = null WHERE id = 1

Thanks for this!

Unfortunately, I seem to be too stupid to pull this off...

I enter the Postgres docker container, start psql using the username and database name with which the database was set up, open the editor, type in the above commands and close the editor again. psql executes the commands but when I try to login, I am still being asked for the 2fa code...

Any idea what I might be doing wrong? (I'm on 0.18.3)

Check that the ID is correct for the user that you want to change.. If you're not the first user, you may need to change the id value appropriately.

[gitwittidbit]

Check that the ID is correct for the user that you want to change.. If you're not the first user, you may need to change the id value appropriately.

Yeah, this is about my admin user and it is so far the only user. Hence, id=1 should be correct, unless the count starts with 0?

[SigHunter]

2FA is imho currently broken, as many here stated. Tried it on my instance feddit.de with 0.18 and now with 0.18.4 with authy app and I can never log in as the generated codes are not accepted. (about a dozen times, as I thought I'm doing something wrong). I could recover my account in the past (0.18) by resetting the password. this does not work anymore. with 0.18.4 I recovered because I still had the otpauth link and aegis can generate the correct codes with that. (the codes are different to those authy generates)

[dessalines]

3309 is the correct issue, that should make people verify their generated code before it saves, rather than let you enable it, without verifying with broken auth apps that ignore the ?algorithm=SHA256 like authy.

I've tested 2FA with 3 different android auth apps, and they all work correctly, so if your auth app ignores the spec, you should open up issues on their respective repos.

[gitetnot]

The solution to use 2FA with Bitwarden is to copy full link from the "2fa installation link" button and to paste it to bitwarden totp field. You have to copy full link, not just the secret!

[chraebsli]

I have the same problem: I have copied the full link to my Bitwarden and it worked for some time, but since last week I am unable to login because of the 2FA. What can I do to get my account back? I tried if I am logged in on another device to disable it, but that wasn't the case.

[dessalines]

You'll have to contact your instance admin there. The next update of lemmy will force you to verify your 2FA before it saves to make sure it works.

[chraebsli]

You'll have to contact your instance admin there. The next update of lemmy will force you to verify your 2FA before it saves to make sure it works.

Thank you very much for the fast response, I contacted the admins and hope for a fast response from them.

[REmerald]

Worked for me in KeepassXC. I just put the capital letters key from the link and changed Default settings (RFC 6238) -> Custom settings:, SHA-1 -> SHA-256; Time step and Code size I left default.