On Mon, 2011-10-17 at 20:26 -0500, Jeffrey Ollie wrote: > On Mon, Oct 17, 2011 at 5:54 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > > > On the other hand google-authenticator doesn't have any server ability > > yet. ;( > > I didn't think that google-authenticator needed a server to do the > authentication - you just need the app on your phone and some > configuration on the system that you want to access. > which is the crux of the problem - and one I think I outlined - b/c the otp secrets are unencrypted and required on every server - they present a security risk in the lay out google-authenticator requires. Think of the otp secret like a password that needs to be in plaintext on every system and you can see why it is scary to have like that. -sv _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
