On Sun, Feb 20, 2022 at 04:08:43PM -0800, Adam Williamson wrote: > On Sun, 2022-02-20 at 16:42 +0000, Gary Buhrmaster wrote: > > Unfortunately, last I checked, the FAS account > > system did not support adding something > > like a FIDO2 security key to an account(**). > > Even if it did, I suspect not all the other parts > > of the system would support FIDO keys. > > It used to support these, but the support was lost with the recent > rewrite. However, it supports Google Authenticator-style OTPs. Folks > with infra privileges on their accounts (like me) are already required > to use these. It works fine. I preferred being able to use a yubikey so > I don't always have to open an app on my phone and retype a six digit > code when I need to log in to something, but that's just a minor > annoyance. Given that the accounts system already supports these OTPs, what is the reason for not mandating this OTP based 2FA for *all* contributors today, as oppposed to merely infra people ? We know that Fedora contributors have had their passwords compromised in the past [1], so not using 2FA of any kind is a risk to Fedora. I understand these simple OTPs are not as secure as FIDO2, but they have the clear advantage of actually being supported in Fedora's auth system today. These OTPs are good enough that 1000's of companies globally use them, rather than relying on plain passwords only. By all means have FIDO2 supported as the desired long term goal, but it feels dubious to stick with only plain passwords in the meantime. FIDO2 support requires significant dev work on a service that is not under Fedora's control and make take many many years to arrive in a form that is usable. With regards, Daniel [1] https://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure