On Thu, Apr 08, 2021 at 12:41:43PM -0700, Kevin Fenzi wrote: > so tons of people are playing around with them. A number of folks are > not able to properly save their token, or run into problems adding it > and need to have that token removed so they can try again. Many of these > are new users that don't have a gpg key set in their account. We have > been getting a lot of these of late. ;( Or some of them are, like, project leaders who also make mistakes. :) > * Could we require someone enter their password + token before accepting > the token? ie, they try and enroll, ipa adds it, they have to verify, if > they can't, it's removed? This is _very_ common in other implementations. > * Could we add 'recovery codes' so if someone enrolls and it's > wrong/broken, they could use a code to login and add a new token and > remove the old broken one? Likewise! > * Could we perhaps make a 'dev' noggin that people could test with and > wipe all accounts from every day or something? Then ask people to test > there if they are unsure how to add otp We probably _should_ have this for other reasons, but I don't think it's a good solution to this problem. It adds complexity while still not guaranteeing that what's done on the production instance will work. > * Could we 'hide' the otp setup until you have X groups or something? While this might help some people... ....... ..... . > 2. How can we verify identity on people who request the removal of their > last otp? Do we just tell them to make a new account? > > Random ideas: > > * If they are not in any groups, how about we just reset based on email? > * Or perhaps if they are not in any sysadmin* groups? I think packager groups should also not be reset just based on email. > * If they are Red Hat employees we can use the internal verify thing Yes. Is there a way we could extend something similar to non-RHers? > * We could use gpg signed email if there is a gpg key assigned to the > account. > * Could we use ssh key to verify them? That at least increases the barrier to impersonation. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
