Right now, 2FA is half-baked. You can enable it and it gives you a link to sync it to an authenticator app, which only works on mobile. But there’s no confirmation required to enable it, so you may think it’s working with your code but it doesn’t take. This will lock people out of accounts.
It really should be disabled until it’s fully fleshed out. In the meantime, give us the option to send 2FA codes to the verified email on file.
It may be an isolated incident, but it would have been avoided had Lemmy confirmed the 2FA code before enabling it on the account. Like standard practice.
Besides, this issue refutes your entire premise - that automated 2FA set up flawless.
See this thread: https://lemmy.eus/post/190738
It’s an issue with many different authenticators, and it’s a bug with Lemmy. This needs to be fixed.