My phone died a few days ago, and the Cisco Duo app overwrote 2FA key backup after connecting my old phone to the internet.
Lemmy has no backup codes, nor can you disable 2FA even while logged in without a valid token.

Anyway, I noticed there’s no rate limiting on 2FA attempts.
So following Lemmy API docs I wrote this exceptionally stupid script (look at my foolish way of parallelization and no auto-stop).

I got the JWT token from logged-in Firefox session, using cookies.txt extension to export it.

Anyway, just make sure your password is secure enough, It’s obviously (potentially) better than 6 digits, probably with 3 valid combinations at each time (current 30s, past 30s, future 30s windows), if I am guessing how it works right.

My attempt also clearly involved a lot of luck with just 21,830 attempts (less than 5 minutes). But, if you’re lucky enough, you may guess it on first attempt, or never if you aren’t.

  • Lung
    link
    fedilink
    -12 months ago

    Yeah! Defeat the dragon of phone 2fa by putting all your secondary passwords on the cloud, synced to your computer! That’ll show em :D

      • @needanke@feddit.org
        link
        fedilink
        12 months ago

        If you sync it it isn’t offline by definition. Might not have to be on google/one drive, but has to be acessible over some network (probably even the internet).

        • @Trainguyrom@reddthat.com
          link
          fedilink
          English
          32 months ago

          Syncing can be through a peer to peer protocol such as sync thing where both devices would need to know each other’s Device IDs, and the Device IDs are basically just SHA256 hashes of locally generated keys.

          Or if the user uses a program to sync over the local network or over USB it’s not necessarily online

        • @itslilith@lemmy.blahaj.zone
          link
          fedilink
          22 months ago

          You mentioned cloud, and that’s really not needed. If you need sync, you can use a P2P service like Syncthing, and while your data is transmitted over the Internet, any threat actor would need to

          a) identify your device IDs and intercept your traffic b) crack the encryption of the network traffic c) crack your password d) (if you used a key file, crack that as well)

          If that is not safe enough for your threat profile, sure, don’t use a password manager, but at that point you got bigger problems