Re: Inactive packagers to be removed after the F37 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Sep 6 2022 at 10:11:54 AM -0700, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: 
i.e. it was specifically about moving away from allowing "simple
TOTP/HOTP" 2FA, as it is phishable, and requiring webauthn, of which
Vitaly's points are I believe accurate.


Yes indeed.
That said, I *think* it could be done entirely in software, as the browser doesn't actually know whether it's talking to real hardware or to software pretending to be real hardware, right? I don't know enough about FIDO2 to be sure, but I assume that it should be possible to do it. Using a hardware token is not actually the primary goal. The goal is to programatically enforce that the authentication token is keyed to the domain that is *actually* requesting authentication, as reported by the web browser, so the 2FA token that gets generated for the fake fedoraproject.org.evil would not be a valid 2FA token for the real fedoraproject.org.
Of course, hardware authenticators would be even more secure, and it sure seems pretty reasonable to expect that people with commit access to Fedora packages are able to purchase a $25 or 30€ security key [1][2]. You don't need to spend $50 for a simple security key. But this really only makes a difference if the packager's computer is compromised, and at that point we've probably already lost.
Any 2FA is better than no 2FA. Currently I do not have any 2FA enabled on my Fedora account because there's no way to disable it once enabled, and I'm afraid something will break, so I'm not brave enough to opt in. I highly doubt I'm alone here. 

Michael

[1] https://www.yubico.com/product/security-key-nfc-by-yubico/
[2] https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux