On Sun, Sep 4 2022 at 04:48:10 PM +0000, Gary Buhrmaster
<gary.buhrmaster@xxxxxxxxx> wrote:
However, last this was discussed, the Fedora AAA system(s)
did not (yet?) support the full fido2/webauthn/passkey
functionality, so at this time such full integration is just a
dream(*).
You don't have to be a provenpackager to be able to do serious damage;
you just need to maintain one package that's installed by a
sufficiently-interesting quantity of Fedora users. In the long run, we
should be moving to require WebAuthn for all Fedora
authentication-related purposes, since it's unphishable. Last year I
entered my GitHub password into a phishing page that was proxying the
real GitHub... if the evil page had gone to just slightly more effort,
it could have easily intercepted a simple TOTP/HOTP challenge. This is
not possible with WebAuthn, which I would say actually is pretty much
equivalent to a security magic bullet.
That said, I say this keenly aware that WebKitGTK doesn't support
WebAuthn yet, and I would be interacting with Fedora packaging a lot
less if I couldn't use my normal web browser. And anybody who isn't
willing to buy a security key wouldn't be able to contribute to Fedora
at all.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
