On Wed, 2022-09-14 at 10:25 -0500, Michael Catanzaro wrote: > > On Wed, Sep 14 2022 at 06:58:12 AM +0000, Tommy Nguyen > <remyabel@xxxxxxxxx> wrote: > > I'm not entirely convinced. See this paper: > > https://eprint.iacr.org/2020/1298.pdf > > I only read the abstract of this paper, but looks like the researchers > have found that FIDO is indeed unphishable. Seems their attack relies > on websites allowing downgrade to weaker forms of 2FA. Yup. The thrust of the paper is: in the real world FIDO2 is usually deployed alongside older/weaker forms of 2FA, so an attacker can pretend to the victim that FIDO auth didn't work and convince them to try a weaker method instead, then phish that. Which is a reasonable point, but not necessarily relevant to us. We *could* require only strong auth and not have weaker fallback methods. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue