Greetings. FAS2 (The old account system) supported 2fa tokens, but they were not in the main interface, you had to go and find a infra sop and go to the right place or run the right command line tool. This was fine as the only thing we were using them for was sudo (so only sysadmins were affected). In order to reset a token in this setup, we required a gpg encrypted email or other proof of you being who you say you are before resetting. Since this was admins, it was just a few per month (if that). In the new account system, they are integrated right into the interface, so tons of people are playing around with them. A number of folks are not able to properly save their token, or run into problems adding it and need to have that token removed so they can try again. Many of these are new users that don't have a gpg key set in their account. We have been getting a lot of these of late. ;( So, the questions are: 1. How can we cut down on the people who are not able to enroll/run into problems with their token requesting removal? Random thoughts: * Could we require someone enter their password + token before accepting the token? ie, they try and enroll, ipa adds it, they have to verify, if they can't, it's removed? * Could we add 'recovery codes' so if someone enrolls and it's wrong/broken, they could use a code to login and add a new token and remove the old broken one? * Could we perhaps make a 'dev' noggin that people could test with and wipe all accounts from every day or something? Then ask people to test there if they are unsure how to add otp * Could we 'hide' the otp setup until you have X groups or something? 2. How can we verify identity on people who request the removal of their last otp? Do we just tell them to make a new account? Random ideas: * If they are not in any groups, how about we just reset based on email? * Or perhaps if they are not in any sysadmin* groups? * If they are Red Hat employees we can use the internal verify thing * We could use gpg signed email if there is a gpg key assigned to the account. * Could we use ssh key to verify them? Any thoughts welcome. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
