TLS client certificates is actually not a terrible idea. They're not
very popular anymore, but they're supported by all major browsers (I
think?) and they work.
On Wed, Sep 14 2022 at 02:08:32 PM +0200, Vitaly Zaitsev via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 14/09/2022 10:01, Demi Marie Obenour wrote:
Still, even a pure software FIDO2 implementation is much better than
TOTP etc.
I don't think so. Malware can easily steal the private key. Simple
TOTP
on a separate device is much better.
Well they're different threats with different solutions. Installing
malware on users' computers is a lot harder than phishing them, so I'd
much rather see software-based FIDO2 than TOTP on a separate device. At
least I'm not aware of any malware running on my computer, but I
already confessed to entering a password into a phishing website, so we
know you can phish me at least. If you want to protect against *both*
threats, use a security key, but you've already pushed back against
requiring a hardware purchase.
It's impossible to enforce use of a separate device regardless of
whether you're doing TOTP or FIDO2. I use my Yubikey only for my
highest-security work account. Everything else uses a TOTP app running
on-device, vulnerable to malware. (I don't want to buy a smartphone
just to do TOTP: no way. A $25 security key sounds much more
reasonable.)
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
