How could 2FA be disabled if you need 2FA in order to login to disable it and my free OTP+ is biometric protected?

  • @MrKaplan@lemmy.world
    link
    fedilink
    English
    93 months ago

    This was unfortunately an error on our end.

    Please bear with us while we work on resolving this situation.

  • Scrubbles
    link
    fedilink
    English
    43 months ago

    ITT OP learns that 2FA is just a token stored on a server, and that server is in control by other people

    • LightscriptionOP
      link
      fedilink
      13 months ago

      This is what I thought. I keep telling people they don’t exclusively own their passwords / security tokens once they give it to a site. Salted hashes to obscure the pw don’t even matter since the admin could also bypass that. Tanks for the validation.

      • Prison Mike
        link
        fedilink
        33 months ago

        And you better pray the website owner (websites in general, not Lemmy specifically) at least hashes your password.

        • LightscriptionOP
          link
          fedilink
          23 months ago

          yes, the more layers of security, the better, even if it is just a futile matter of time to consume the time of an ATP.

  • Dark Arc
    link
    fedilink
    English
    2
    edit-2
    3 months ago

    Going to need a lot more context than that.

    I’m sure site admins could just clear the 2FA field if they wanted. Would they? IDK, probably not unless they had good reason.

    Could someone steal your session information and disable your 2FA with that? Yeah, but I doubt they did, you’d have to have your system compromised or some kind of cross site scripting.

    Did you use any shady lemmy clients?

    etc

    • LightscriptionOP
      link
      fedilink
      13 months ago

      No, nothing shady. Just was notified there was a mistake on the server end. Perhaps tmi to elaborate…

    • LightscriptionOP
      link
      fedilink
      23 months ago

      This is what I thought. I keep telling people they don’t exclusively own their passwords / security tokens once they give it to a site.

      If I shared encrypted info that I kept encrypted, I guess it would still be mine but no one could then read it.