Asklemmy

43395 readers

1356 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
[email protected]: a community for finding communities

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago

MODERATORS

[email protected]

How was my 2FA on Lemmy turned off and why? (lemmy.world)

submitted 1 month ago by [email protected] to c/[email protected]

9 comments fedilink hide all child comments

Do you know how 2FA is disabled without your consent on Lemmy.world?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 3 points 1 month ago (2 children)

Lemmy is beta software. One of the updates around the 0.19.0 mark (we're up to 0.19.5 now, with 0.19.6 around the corner) changed the login stuff. I don't remember the details, but instead of locking everyone out of their accounts, 2FA was disabled. The lemmy.world admins didn't choose this, it's just how the update worked.

I don't know what kind of communication or sticky posts were used during the upgrade, but I'm sure some people missed it, including OP.

[–] [email protected] 6 points 1 month ago (1 children)

this was not a Lemmy bug.

[–] [email protected] -2 points 1 month ago (1 children)

Right. Not a bug, but a decision by the developers in order to upgrade the 2FA stuff.

[–] [email protected] 11 points 1 month ago

this is a separate issue unrelated to the 0.19 update.

[–] [email protected] 0 points 1 month ago

Ah, that must be it. 2FA is still a very good security feature to have.

But there is nothing only you know that is still useful because a secret must be shared in order to be useful (unless you just have full disk encryption and then when it is unlocked and network connected, it is still vulnerable). In short, admins could change your password since you are not the sole admin of your own server but then you would have to have mass appeal to be "useful", i.e. popular.

In theory, Tim Cook might have a keybearer who could usurp the throne with all the proprietary OEM crypto keys that only the Company knows, but everyone knows who the CEO is and the keybearer could get in big trouble unless he had an army...

Things can be changed on the server side and the network is not the same as the device: these are technology truths some people refuse to ever understand.