How was my 2FA on Lemmy turned off and why?

Lightscription@lemmy.world to Asklemmy@lemmy.ml – 8 points –

Do you know how 2FA is disabled without your consent on Lemmy.world?

9

Hi,

this was unfortunately an error on our end.

Please bear with us while we work on resolving this situation.

2FA has been restored for all LW users that had it enabled before and didn't reactivate it on their own since.

There will be an announcement posted later on explaining what happened.

edit: announcement is out: https://lemmy.world/post/18503967

Lemmy is beta software. One of the updates around the 0.19.0 mark (we're up to 0.19.5 now, with 0.19.6 around the corner) changed the login stuff. I don't remember the details, but instead of locking everyone out of their accounts, 2FA was disabled. The lemmy.world admins didn't choose this, it's just how the update worked.

I don't know what kind of communication or sticky posts were used during the upgrade, but I'm sure some people missed it, including OP.

Ah, that must be it. 2FA is still a very good security feature to have.

But there is nothing only you know that is still useful because a secret must be shared in order to be useful (unless you just have full disk encryption and then when it is unlocked and network connected, it is still vulnerable). In short, admins could change your password since you are not the sole admin of your own server but then you would have to have mass appeal to be "useful", i.e. popular.

In theory, Tim Cook might have a keybearer who could usurp the throne with all the proprietary OEM crypto keys that only the Company knows, but everyone knows who the CEO is and the keybearer could get in big trouble unless he had an army...

Things can be changed on the server side and the network is not the same as the device: these are technology truths some people refuse to ever understand.

You should ask that in the community of you instance, not asklemmy. Asklemmy is not the support community.