I promised to help with this once it was available, so I will post up here. Feel free to share the post if it's helpful. I may edit later, I just wanted to get this up quickly.
First up: Don't activate TOTP until you are ready, and understand what it's doing.
I just experimented with it, and it is immediately activated, without any sort of validation that you are generating valid codes.
(This is not good design)
This is important, as if you activate it, don't manage to get it working, then log out...You won't be able to log in...And Tom will have a very busy weekend resetting accounts!
I hate that I had to add this caveat, as it should be a foolproof process. Maybe 18.2 will tidy it up :)
For this instance of Lemmy, a SHA256 TOTP token is used (yay, top of the pops...)
TOTP stands for Timed One Time Password.
When it is activated on a service, an secret string is generated.
This is imported into an application or device using TOTP.
When you want to log in, it uses the secret, plus the current time, to generate a code, which authenticates you.
In this instance, when you click activate, it gives you a TOTP link.
If you have a TOTP 2FA app installed (for example, Google Authenticator), this should open, and prompt you to save the secret string.
(Often, systems will generate a QR code, which TOTP apps can also use)
If it does not, take the link, and copy out the string of data between secret= and &algorithm.
Enter your TOTP app of choice, add a new account, set the username to something memorable/useful, put the string in the secret box, set the algorithm to SHA256, and save.
Open a new private tab, and test by logging in, using the code.
If it doesn't work, you can try again.
Just do not log out of your account without either proving it's working, or disabling it!
Apps that can do TOTP: For now, I'll just share Google Authenticator:
Open-source fork for very privacy minded people
If you want to use a hardware token, Token2 do nice ones, varying from electronic generators, to USB keys that reveal your codes through an app when you boop them.
Edit: Good news, the issues are logged.
2FA not requiring a check before being used: https://github.com/LemmyNet/lemmy/issues/3309 (Duplicate with lots of discussion: https://github.com/LemmyNet/lemmy/issues/3325 )
2FA QR code generation: https://github.com/LemmyNet/lemmy-ui/issues/1544
This is just my personal take, but this will definitely be a growing pain for Lemmy.
People are going to activate this, and get locked out, a LOT until those fixes go in.
Defaulting to SHA256 is a bit of a classic "why don't we make it as secure as possible" moment: Lots of TOTP apps don't support it.