On Sun, Sep 4, 2022 at 3:52 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > Well, not really. 2FA isn't a magic bullet. I would be in favor of > doing this, but you can't treat any security measure as solving all > your problems completely. Nothing is a magic bullet (and most security can be bypassed with the $10 (it was $5 before inflationary increase) wrench) but passkeys (which can eliminate passwords entirely) do tend to raise the bar substantially, and those services doing authorization can require additional levels of real time identity assurance for additional levels of access (so inserting a usb token, or having your phone nearby, might let you login, but you need to provide additional something (pin, biometrics, whatever) to access things at a higher level at the time you require that (say, for this case, using PP powers)). However, last this was discussed, the Fedora AAA system(s) did not (yet?) support the full fido2/webauthn/passkey functionality, so at this time such full integration is just a dream(*). (*) Given that all the major tech companies are moving towards allowing (and will be encouraging) customers to use passkeys I hope we will see better integrations with FreeIPA and Ipsilon at some point. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
