On Wed, 2022-09-07 at 14:26 +0200, Petr Pisar wrote: > > So I am going to say I am in agreement with Vitaly that FIDO2 is > > not a > > solution we could support at this time. At most we could support > > HOTP via > > yubikey but we would need to be able to make sure > > 1. That we have some sort of '5 codes which can be used in case of > > emergency'. These are printed on a screen and that is it. > > 2. We make sure that people have 2 additional devices attached > > before OTP > > is 'enabled'. > > > > Otherwise this is going to end in tears even before we tried to get > > 'FIDO2' > > set up. > > > Do people lose their tokens more often than forget their passwords? > How do we deal with a forgotten password now > <https://accounts.fedoraproject.org/forgot-password/ask>? > Do we have to strenghten an authenticiation reset with the advent of > tokens? > > I'm asking because to me it seems that the problem as you painted it > is not > about having a token but about resetting authentication credentials. > > Shouldn't we instead start with strengthening the credentials reset > even for > password-only authentication? I.e. disallowing the reset. Or enabling > having > multiple passwords. > > -- Petr The security is only as strong as the weakest link. Often times this is the password or the password reset password. For example, 2FA via SMS is deprecated, yet some websites allow you to fallback to SMS if you do not have TOTP available. This is more convenient for users, but horribly insecure (an attacker can just fallback to the more insecure option since it's available). The most secure option is to ONLY allow TOTP, for example, and once it's enabled, lock the user out if they lose access to their device. Typically companies will verify a user's identify if they need to reset their 2FA (technically insecure due to social engineering attacks, which is a problem as of recent). Given that Fedora is a community project, it may be more feasible to verify someone's identity than some random corporate support desk, but still suspectible to social engineering. Anyway, users are always going to forget their passwords, lose their devices and want an easy way back in, but making the security weak to accomodate this just trains bad behaviors I think. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
