• There is a bug in 2FA in Lemmy. In every implementation of TOTP, the account is not locked under 2FA until the server verifies at least one TOTP password. In Lemmy, if the user is unable to set up 2FA on his device, and quits the session, he is locked out of his account.