On Wed, Feb 23, 2022 at 10:33:16AM +0100, Vitaly Zaitsev via devel wrote: > On 22/02/2022 12:33, Daniel P. Berrangé wrote: > > Given that the accounts system already supports these OTPs, what > > is the reason for not mandating this OTP based 2FA for*all* > > contributors today, as oppposed to merely infra people ? > > I like it, but many Fedora contributors won't be happy. Google said that > only 10% of their users use OTP. > > We need to fix Fedora's OTP implementation first. Sending password+CODE is > the worst idea, I ever seen. You can't even use a password manager to > auto-enter it. > > My suggestions: > 1. Change password entry dialog on id.fedoraproject.org with > accounts.fedoraproject.org version (with a separate OTP field). We have this change already done, but are waiting for a upstream ipsilon release. > 2. Kinit should ask for password and OTP code in different prompts (check > how it works with SSH + OTP plugin). This is being worked on by IPA folks. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
