On Tue, Feb 22, 2022 at 11:33:55AM +0000, Daniel P. Berrangé wrote: > On Sun, Feb 20, 2022 at 04:08:43PM -0800, Adam Williamson wrote: > > On Sun, 2022-02-20 at 16:42 +0000, Gary Buhrmaster wrote: > > > Unfortunately, last I checked, the FAS account > > > system did not support adding something > > > like a FIDO2 security key to an account(**). > > > Even if it did, I suspect not all the other parts > > > of the system would support FIDO keys. > > > > It used to support these, but the support was lost with the recent > > rewrite. However, it supports Google Authenticator-style OTPs. Folks > > with infra privileges on their accounts (like me) are already required > > to use these. It works fine. I preferred being able to use a yubikey so > > I don't always have to open an app on my phone and retype a six digit > > code when I need to log in to something, but that's just a minor > > annoyance. > > Given that the accounts system already supports these OTPs, what > is the reason for not mandating this OTP based 2FA for *all* > contributors today, as oppposed to merely infra people ? All contributors? ie, require an otp to make an account? Or did you mean all packagers? or something else? I don't think there's any way in IPA to require otp as a requirement for group membership currently. (Please let me know if there is). Which would leave us checking after the fact and removing people without one set, which is a big pile of hassle. :( > We know that Fedora contributors have had their passwords compromised > in the past [1], so not using 2FA of any kind is a risk to Fedora. > > I understand these simple OTPs are not as secure as FIDO2, but > they have the clear advantage of actually being supported in > Fedora's auth system today. These OTPs are good enough that 1000's > of companies globally use them, rather than relying on plain passwords > only. > > By all means have FIDO2 supported as the desired long term goal, but > it feels dubious to stick with only plain passwords in the meantime. > FIDO2 support requires significant dev work on a service that is not > under Fedora's control and make take many many years to arrive in a > form that is usable. Enforcing otp per group also would require dev work from what I understand. :( kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
