Christopher wrote: > * Unlike many other implementations, there is no backup code option > (GitHub, Google, others, provide 10 one-time use backup codes you can > use in case you don't have access to your authenticator app; these can > be regenerated after a successful login). It seems that the backup is to send an OpenPGP-signed email to an admin address. That's acceptable as long as the admins take care to properly verify the OpenPGP key – but since Noggin stores only key IDs (and truncates them incorrectly), I'm left wondering what methods they'll try if they need to look up my key. Will they try WKD? DNS? Is there a specific key server that must have my key for me to be able to recover my Fedora account if I lose my second factor? > * In many places, including accounts.fedoraproject.org, in order to > log in, you have to append the OTP to your password, so it doesn't > really play nice with password managers. Such kludges shouldn't be exposed in user interfaces if it can be avoided. A web interface should be able to receive two strings in two separate fields, and concatenate them if the backend requires that. Björn Persson
Attachment:
pgprPZIS_7chK.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
