Re: GNOME Online Accounts "Fedora" - Pre-authentication failed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael Catanzaro wrote:
> On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher 
> <sgallagh@xxxxxxxxxx> wrote:
> > Well, it *could* grow an interface to some of the password wallet
> > services that support TOTP or HOTP codes (like Bitwarden, Lastpass,
> > 1password, etc.) and configure it to query that service and append the
> > code to the password. It doesn't help if you want/need a physical
> > token, though.  
> 
> Good idea. Of course we'd probably want to use GNOME Keyring for this 
> (which does not currently support third-party services, but could in 
> the future). I suppose gnome-online-accounts would only need to store 
> the TOTP/HOTP seed and some config data.

This sounds like you would store the password and the TOTP seed
together in the same keyring. That's rather pointless. If you store two
secrets together, then they are effectively a single secret, and the
TOTP just adds an unnecessary step to the authentication protocol. It's
better to generate a long random key for your "password", store that in
your keyring, and not bother with TOTP.

Two-factor authentication is when you have two secrets stored in two
different storage media, for example one in Gnome Keyring and the
other in a Yubikey.

If the keyring is encrypted with a master passphrase, then that's also
two-factor authentication. The encrypted key stored in the keyring is
one factor, and the master passphrase stored in the user's brain is the
other factor. In that case a TOTP seed stored in a Yubikey becomes a
third factor.

Björn Persson

Attachment: pgptkO3RHLLDw.pgp
Description: OpenPGP digital signatur

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux