On Sat, Mar 27, 2021 at 12:38:45AM +0100, Björn Persson wrote: > Christopher wrote: > > * Unlike many other implementations, there is no backup code option > > (GitHub, Google, others, provide 10 one-time use backup codes you can > > use in case you don't have access to your authenticator app; these can > > be regenerated after a successful login). > > It seems that the backup is to send an OpenPGP-signed email to an admin > address. That's acceptable as long as the admins take care to properly > verify the OpenPGP key – but since Noggin stores only key IDs (and > truncates them incorrectly), I'm left wondering what methods they'll try > if they need to look up my key. Will they try WKD? DNS? Is there a > specific key server that must have my key for me to be able to recover > my Fedora account if I lose my second factor? Well, the backup is actually: "verify you are who you say you are to the satisfaction of account admins" (which has been the case with fas as well for many years. This could be a gpg signed email and key from a good site, or other means. I agree this is not well defined. I'd like us to add security query/respond pairs. Other suggestions welcome (please file them as noggin issues?) > > * In many places, including accounts.fedoraproject.org, in order to > > log in, you have to append the OTP to your password, so it doesn't > > really play nice with password managers. > > Such kludges shouldn't be exposed in user interfaces if it can be > avoided. A web interface should be able to receive two strings in two > separate fields, and concatenate them if the backend requires that. I'm not sure what the constraint was here. I'd let the noggin team answer this one... kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
