I have lost my TOTP key assigned to codeberg account. Recovering it won’t help much, because TOTP is required, so I wrote an email to support in February. 5 months and 2 mails later I have still no response.
I will slowly trasnfer my repos to my gitea/forgejo repo I guess.
I understand that this is frustrating but it is arguably the right option. If the correct owner can recover the account without TOTP then the TOTP isn’t really protecting the account.
Of course there are various ways to authenticate and it can make sense to have authentication to be (username + password + OTP) OR (email verification) but for a lot of people that email verification is a weaker link. It is more secure to only allow the former.
What I wish is that more sites would document their account recovery procedure. Often times they ask for a phone number for verification or notifications and that silently becomes a backdoor into the account. Even better would be if users can select what authentication combos are supported on a per-account basis (there are a few companies with “lockdown” settings that are a simplified version of this).
Of course it then becomes important to make it clear to the user “if you ever loose you X your account is forever lost”. It shouldn’t be surprise.
thanks for reminding me to back up my totp keys!
Do they not give you a recovery phrase or back up codes when you’re enable 2FA?
You may be surprised to learn that some people don’t save them! Or forgot to back them up before resetting their phone/laptop.
While I don’t actually know if codeberg does have back up codes or not, I imagine they do and I’m quietly calling OP out for not saving them 😁
I had a scary situation once when changing my email address for my bitwarden account and didn’t think ahead that they’d probably log me out on all devices. Luckily I have a copy of all codes in an accessible place.
I lost my TOTP once and codeberg replied me in the same week.
Did you send back a follow-up email?
i guess that he meant by “… and two emails later…”
Good advice in general to back up your TOTP keys and the scratch tokens.
I hate how codeberg uses passkey as 2fa instead of main way of login . It would have been much better






