On Wed, Sep 7, 2022 at 12:27 PM Petr Pisar <ppisar@xxxxxxxxxx> wrote: > Do people lose their tokens more often than forget their passwords? Depends on the person, of course. However, it is less common that one loses a token and does not somewhat quickly notice it (especially if it is on their mobile device, or their computer, or their keyring) than they lose (having someone else obtain) or forget their password (especially if the password is not used often). In any case, it is considered best practice to have two strong identifier objects, so that one can replace a lost/stolen one in one's account. Sometimes that second identifier is a set of one time passcodes, and sometimes that is a second enrolled device, which can (and should) be stored in a separable secure location (lockbox, etc.). Some companies that allow one to turn on strong identity controls even require one to enroll two devices and/or obtain your one-time passcodes before they allow you to enable 2FA. Requiring this upfront action is typically easier (for the individual) than having an option to set up various recovery mechanisms to recover from lost passwords (since few apparently do do that in advance) or for the company to have to re-establish your identity before resetting your password (which does not work well at large scales and for free services). In any case, until SSSD/FreeIPA supports the advanced capabilities (somewhat soon-ish), and the enhancements or replacement of Ipsilon occurs to support that, this is all just theoretical. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
