On 2/22/22 06:33, Daniel P. Berrangé wrote: > On Sun, Feb 20, 2022 at 04:08:43PM -0800, Adam Williamson wrote: >> On Sun, 2022-02-20 at 16:42 +0000, Gary Buhrmaster wrote: >>> Unfortunately, last I checked, the FAS account >>> system did not support adding something >>> like a FIDO2 security key to an account(**). >>> Even if it did, I suspect not all the other parts >>> of the system would support FIDO keys. >> >> It used to support these, but the support was lost with the recent >> rewrite. However, it supports Google Authenticator-style OTPs. Folks >> with infra privileges on their accounts (like me) are already required >> to use these. It works fine. I preferred being able to use a yubikey so >> I don't always have to open an app on my phone and retype a six digit >> code when I need to log in to something, but that's just a minor >> annoyance. > > Given that the accounts system already supports these OTPs, what > is the reason for not mandating this OTP based 2FA for *all* > contributors today, as oppposed to merely infra people ? I very much would support this change. > We know that Fedora contributors have had their passwords compromised > in the past [1], so not using 2FA of any kind is a risk to Fedora. > > I understand these simple OTPs are not as secure as FIDO2, but > they have the clear advantage of actually being supported in > Fedora's auth system today. These OTPs are good enough that 1000's > of companies globally use them, rather than relying on plain passwords > only. > > By all means have FIDO2 supported as the desired long term goal, but > it feels dubious to stick with only plain passwords in the meantime. > FIDO2 support requires significant dev work on a service that is not > under Fedora's control and make take many many years to arrive in a > form that is usable. I wholeheartedly agree with this statement. > With regards, > Daniel > > [1] https://lists.fedoraproject.org/pipermail/announce/2011-January/002911.html -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
