Dnia Fri, Mar 26, 2021 at 01:47:08PM -0700, Kevin Fenzi napisał(a): > On Fri, Mar 26, 2021 at 09:34:49PM +0100, Tomasz Torcz wrote: > > Dnia Fri, Mar 26, 2021 at 03:26:53PM -0500, Brandon Nielsen napisał(a): > > > On 3/26/21 3:24 PM, Matthew Miller wrote: > > > > On Fri, Mar 26, 2021 at 02:48:39PM -0400, Christopher wrote: > > > [Snip] > > > > > * In many places, including accounts.fedoraproject.org, in order to > > > > > log in, you have to append the OTP to your password, so it doesn't > > > > > really play nice with password managers. > > > > > > > > This is pretty common in my experience; it seems like password managers > > > > should support this pattern. > > > > > > > > > > I can't say I have ever appended an OTP to a regular password, and I use 2FA > > > everywhere I can. > > > > I second that. I've only seen OTP appending on FreeIPA's > > implementation of 2FA. Everywhere else it's first a normal password > > prompt, then second for 2FA code (or push notification to phone, which > > is way easier for user). > > Notification via sms is... not too secure. ;( > https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber I didn't write SMS. SMS is terrible, it's the worst 2F channel nowadays. I meant push notification, when the message is sent through secure channel to your smart phone and you get popup asking for authorization. At least: - Google does that: https://s3.amazonaws.com/neowin/news/images/uploaded/2017/07/1500141361_google_mobile_prompt.jpg - Microsoft Suite (Teams, Outlook) on my corporate accounts: https://techcommunity.microsoft.com/t5/image/serverpage/image-id/46536iDD69C684B52CC495 - My banking app (for login and transfer authorizations) https://android.com.pl/apps/wp-content/uploads/2020/03/alior.jpg.webp This seem to be easiest and most secure 2FA, but requires cooperation with Android framework. Next in line are FIDO/Yubikeys, and OTP codes. -- Tomasz Torcz Only gods can safely risk perfection, tomek@xxxxxxxxxxxxxx it's a dangerous thing for a man. — Alia _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
