On ti, 06 syys 2022, Adam Williamson wrote:
On Tue, 2022-09-06 at 16:47 +0000, Tommy Nguyen wrote:
On Tue, 2022-09-06 at 18:18 +0200, Vitaly Zaitsev via devel wrote:
> On 06/09/2022 17:00, Gary Buhrmaster wrote:
> > mobile device
>
> Requires proprietary Google services.
>
> > computer
>
> Requires proprietary TPM 2.0 chip.
Hi,
Neither of this is true. For example, I use Raivo on my iOS device
which isn't proprietary.
It seems that your concerns regarding 2FA are based on a number of
misconceptions.
1. That it will cost money
You can generate TOTP codes using password generators, desktop apps, or
even by hand in the command line. It's a simple algorithm that doesn't
even require an Internet connection. However, in order for it to truly
be 2FA, it should be on a separate device (i.e, your phone) though
generating it on the desktop is what people do if they have no external
device.
2. That the algorithm will pose problems in other countries
I'm aware of ITAR and munitions exports, but I'm not convinced SHA1 and
HMAC poses as much of a problem as you say it does, even in
Russia/China.
3. That it requires specialized hardware
Again, not true. See part 1. TOTP should work on any device regardless
of the underlying hardware so long as it supports basic cryptographic
primitives.
This section of the thread seems to be moving rather at cross-purposes.
This was mcatanzaro's original proposal:
"In the long run, we should be moving to require WebAuthn for all
Fedora authentication-related purposes, since it's unphishable. Last
year I entered my GitHub password into a phishing page that was
proxying the real GitHub... if the evil page had gone to just slightly
more effort, it could have easily intercepted a simple TOTP/HOTP
challenge. This is not possible with WebAuthn, which I would say
actually is pretty much equivalent to a security magic bullet."
i.e. it was specifically about moving away from allowing "simple
TOTP/HOTP" 2FA, as it is phishable, and requiring webauthn, of which
Vitaly's points are I believe accurate.
Yep. We are not there yet with regards to this use case being
implemented in Fedora AAA but our goal is to provide an infrastructure
in Fedora 38 for Kerberos and local system integration, hopefully.
Looking at hardware products, a cheapest FIDO2 authenticator I know
about is a Token2 T2F2 FIDO2 and U2F Security Key (10.00 EUR per key
plus shipping costs)[1]. I am in contact with Token2 to see if we can
test this hardware in our SSSD/FreeIPA development.
Google's OpenSK platform is something people already tried to turn into
a FIDO2 virtual authenticator -- see [2] for example of integrating with
QEMU. This is far from being complete and user-friendly.
[1] https://www.token2.eu/shop/product/token2-t2f2-fido2-and-u2f-security-key
[2] https://github.com/google/OpenSK/issues/485
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
