On Sun, Feb 20, 2022 at 4:01 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote: > I think we should also require security key-based 2fa for all > packagers. In a previous discussion on this topic that was suggested (and at least partially rejected(*)). Many (larger) orgs have decided that issuing hardware security keys to all their staff can eliminate entire classes of vulnerabilities. Unfortunately, last I checked, the FAS account system did not support adding something like a FIDO2 security key to an account(**). Even if it did, I suspect not all the other parts of the system would support FIDO keys. For a community organization such as Fedora, requiring packagers to obtain (and register) security keys would be a large step(***), and might end up adding enough impedance to the new packager process to discourage new packagers (and/or drive away some existing packagers). There is also the problem of replacement keys when they are lost/damaged(****), and they will, eventually, be lost/stolen/damaged. All said, I agree that requiring packagers to have and register (something like) FIDO keys is a good goal. Lastly, a question, if some of the RedHat employees on the list are at liberty to comment, does RH require hardware security keys, or other OTP technologies, to access certain apps, or are passwords considered good enough? Gary (*) Well, rejected might be too strong, but it was not agreed upon as a way forward. (**) There may be alternatives, but the FIDO / U2F approach seems to be the one most are moving towards. (***) I suppose if there was "magic money" the project could issue them to those that have been approved as new packagers. (****) Replacement security keys are always a problem, even when the org has a direct connection to the individual. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
