On Thu, Oct 29, 2015 at 04:39:20PM +0100, Pierre-Yves Chibon wrote:
> 2FA
> 2 Factor Authentication is probably the biggest point remaining to develop.
> In FAS2, yubikey is integrated into FAS, while gauth isn't. For FAS3 we
> probably want to integrate both so that users have a place to set and reset
> their tokens.
> On the otherside, keeping the yubikey and the gauth servers out of FAS3 also
> make sense. So we may want to find a way for both to share some information
> where FAS3 would have read/write permissions while the yubikey/gauth servers
> would have only read.
>
You'll need to think about the model a little here.
* Do you want users to be able to login with only a single factor?
* Two axises -- users and services. sudo is a current service that
requires two factors.
* Users could be by group ('sysadmin-main'), user who has registered a second factor, etc.
* What factors do you want to make necessary to reset a factor?
* Currently if you can login to fas you can change your password
* Currently you need to satisfactorily prove your identity to
a sysadmin-main member in order to reset your gauth token.
* What factors do you need in order to set a factor that is currently null?
* What factors do you need in order to disable (different than remove!
you need to make sure that this cannot be combined with remove to
circumvent the factors needed to reset a factor).
* Are some factors "more equal" than others? Some current examples:
* challenge question or gpg private key gives access to all.
* access to email allows reseting the password
* (?) access to password allows resetting the yubikey
mricon could be helpful to talk to about thesse policies.
-Toshio
Attachment:
pgpbZkixMxh41.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
