196

18087 readers

1146 users here now

Be sure to follow the rule before you head out.

Rule: You must post before you leave.

Other rules

Behavior rules:

No bigotry (transphobia, racism, etc…)
No genocide denial
No support for authoritarian behaviour (incl. Tankies)
No namecalling
Accounts from lemmygrad.ml, threads.net, or hexbear.net are held to higher standards
Other things seen as cleary bad

Posting rules:

No AI generated content (DALL-E etc…)
No advertisements
No gore / violence
Mutual aid posts are not allowed

NSFW: NSFW content is permitted but it must be tagged and have content warnings. Anything that doesn't adhere to this will be removed. Content warnings should be added like: [penis], [explicit description of sex]. Non-sexualized breasts of any gender are not considered inappropriate and therefore do not need to be blurred/tagged.

If you have any questions, feel free to contact us on our matrix channel or email.

Other 196's:

founded 2 years ago

MODERATORS

moss@lemmy.blahaj.zone

greembow@lemmy.blahaj.zone

moss@lemmy.world

queue@beehaw.org

funky_rodent@lemmy.blahaj.zone

PeachyMcPeachface@lemmy.blahaj.zone

threegnomes@lemmy.blahaj.zone

greembow@lemmy.world

remotelove@lemmy.ca

Roflmasterbigpimp@feddit.de

A_Very_Big_Fan@lemm.ee

qaz@lemmy.blahaj.zone

A_Very_Big_Fan@lemmy.world

qaz@lemmy.sdf.org

qaz@lemmy.world

qaz@sh.itjust.works

224

Disabling 2FA in stupid way after phone died rule (i.imgur.com)

submitted 9 months ago by user224@lemmy.sdf.org to c/196@lemmy.blahaj.zone

28 comments fedilink hide all child comments

My phone died a few days ago, and the Cisco Duo app overwrote 2FA key backup after connecting my old phone to the internet.
Lemmy has no backup codes, nor can you disable 2FA even while logged in without a valid token.

Anyway, I noticed there's no rate limiting on 2FA attempts.
So following Lemmy API docs I wrote this exceptionally stupid script (look at my foolish way of parallelization and no auto-stop).

I got the JWT token from logged-in Firefox session, using cookies.txt extension to export it.

Anyway, just make sure your password is secure enough, It's obviously (potentially) better than 6 digits, probably with 3 valid combinations at each time (current 30s, past 30s, future 30s windows), if I am guessing how it works right.

My attempt also clearly involved a lot of luck with just 21,830 attempts (less than 5 minutes). But, if you're lucky enough, you may guess it on first attempt, or never if you aren't.

you are viewing a single comment's thread
view the rest of the comments

[–] Draconic_NEO@lemmy.dbzer0.com 21 points 9 months ago (2 children)

I'm really not a fan of 2FA since if I lose or break my phone in most 2FA implementations you just get locked out. Nothing to do. Even with TOTP keys it's just an extra password I have to remember. I don't want to do that, the marginal increase doesn't feel worth the risk of being locked out of my account.

So I just won't use 2FA, especially on Lemmy of all places. Oh how I've heard the horror stories of people using the early 2FA implementation and getting locked out. Not me, not ever, people may say it's better these days but this still doesn't seem worth it.

[–] nimpnin@sopuli.xyz 13 points 9 months ago (1 children)

What's the point of using 2FA on non-crucial accounts anyway? If somebody wants to hack my lemmy account or something, I don't really care at the end of the day.

[–] Draconic_NEO@lemmy.dbzer0.com 5 points 9 months ago

There really isn't any need, it's very much overkill. I'd say in the vast majority of places where it is asked it is not needed and can even be a bad thing due to the risk of losing account access.

[–] slampisko@lemmy.world 6 points 9 months ago

I'm using Aegis Authenticator and I regularly back up my list to an external file uploaded to my NAS. If my phone dies (which has happened before), I can then just restore the list from the backup ¯\_(ツ)_/¯