If you’re like me, you’re accustomed to setting up 2FA by having 1Password detect a QR code on-screen, but this doesn’t work with Lemmy’s 2FA since it never displays a QR code. Here’s what you should do instead.
Start in Lemmy by enabling 2FA in your settings. When you save, scroll down again to the bottom of your settings. You’ll now see a 2FA installation button. My first inclination was to click this button, but my Mac wanted to open it in the macOS keychain instead of 1Password. Instead, right click the button and copy the link. (It’s styled as a button, but it’s really just a plain link.)
Now, in 1Password, add a one-time password field to your Lemmy login. Paste the URL you copied from the button into the one-time password field. Save the login, and you should now see the one-time password displayed in 1Password.
You’re actually done at this point. One thing that threw me off is that Lemmy’s 2FA does not require a code validation step like many 2FA systems do. I validated it manually by logging out and logging back in. Lemmy asked me to enter the 2FA code, and I was able to copy/paste it from 1Password to log back in.
Hope this helps others who are confused like I was!
Thanks for the detailed post.
I encourage those of you who use your password manager for 2FA to consider that by having your second factor together with the password, they can both become compromised at the same time. Storing your second factor separately, e.g. using a different app with a different password, could help if your password manager database ever gets compromised, because then the attackers would only have access to your password, not your 2FA codes too.
To offer a counterpoint to this:
While it’s absolutely true that storing 2FA codes and passwords in the same place is less secure than splitting them up, it’s also true that having both and storing them together is more secure than not using 2FA codes at all. A giant SLR with a bevy of lenses will take better photos than your smartphone, but the best camera is the one you have with you. That’s because, if it becomes cumbersome to take your camera with you, you will take fewer pictures, which, if your goal is to have and enjoy pictures, is the worse of the two outcomes, even though the smartphone pictures would be of lesser quality.
Your decision on this should balance your personal tolerance for risk with your personal tolerance for being inconvenienced. If you think having to store your 2FA codes in a different application along with having to open that application and run through some additional process (alongside invoking your password locker’s login flow) for every 2FA login is likely to inhibit you from using them in the first place, don’t worry about maximizing security and store 2FA codes in your password locker. If you split them and then are inhibited from using them, you haven’t really accomplished anything.
The important thing is that you’re aware of the risk, and I believe this commenter has done a good job illuminating that.