On Fri, Apr 8, 2022 at 1:29 PM Björn Persson <Bjorn@rombobjörn.se> wrote: > > Michael Catanzaro wrote: > > On Thu, Apr 7 2022 at 12:30:42 PM -0400, Stephen Gallagher > > <sgallagh@xxxxxxxxxx> wrote: > > > Well, it *could* grow an interface to some of the password wallet > > > services that support TOTP or HOTP codes (like Bitwarden, Lastpass, > > > 1password, etc.) and configure it to query that service and append the > > > code to the password. It doesn't help if you want/need a physical > > > token, though. > > > > Good idea. Of course we'd probably want to use GNOME Keyring for this > > (which does not currently support third-party services, but could in > > the future). I suppose gnome-online-accounts would only need to store > > the TOTP/HOTP seed and some config data. > > This sounds like you would store the password and the TOTP seed > together in the same keyring. That's rather pointless. If you store two > secrets together, then they are effectively a single secret, and the > TOTP just adds an unnecessary step to the authentication protocol. It's > better to generate a long random key for your "password", store that in > your keyring, and not bother with TOTP. It would be pointless if you did this everywhere, but not if you only did it for certain excepted services that you trust. Then, you're using 2FA everywhere except that trusted service. Many services with 2FA support application-specific passwords that are intended to be used once in a trusted service and forgotten, leaving that service the only application that uses that specific credential (usually used for applications that are not interactive or otherwise don't support OTP codes). This also allows that service's password to be revoked independently. So, the authentication requirements would look like: (password + OTP) OR (app-specific password 1) OR (app-specific password 2) OR etc. Fedora could provide application-specific passwords in our OTP implementation for that purpose. Or, GNOME could be made to prompt for a new OTP when needed, use it to get a new Kerberos ticket, and then discard it until that ticket can no longer be renewed without re-authenticating. Even then, the OTP should only be requested when the credential is actually being used by the user. The first option is simpler and a reasonable compromise, but the second is clearly more secure. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
