On Thu, Jan 24, 2013 at 09:05:39AM -0800, Toshio Kuratomi wrote: > * I know that implementing 2fa to log into fas will cause a lot of breakage > that we'll have to fix before we deploy: > - session cookie for fas would have to change so you don't have SSO > between FAS and other apps. Wouldn't it be enough to add a field to the session data that stores whether 2FA has been used or not? Then SSO is still possible from FAS to other apps, but if a valid session is provided, FAS might only ask for a valid token value. > - python-fedora api would need to be modified so it can log into fas. > - web apps would need to be modified so they could log into fas > with/without 2fa You could allow to just concatenate the password and hardware token values and submit this as the new password. I believe this is often implemented with RSA tokens, where a PIN and the current token value need to be provided as password. Regards Till _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
