On Wed, 2022-09-14 at 18:35 -0400, Simo Sorce wrote: > On Wed, 2022-09-14 at 15:11 -0700, Adam Williamson wrote: > > On Wed, 2022-09-14 at 10:25 -0500, Michael Catanzaro wrote: > > > > > > On Wed, Sep 14 2022 at 06:58:12 AM +0000, Tommy Nguyen > > > <remyabel@xxxxxxxxx> wrote: > > > > I'm not entirely convinced. See this paper: > > > > https://eprint.iacr.org/2020/1298.pdf > > > > > > I only read the abstract of this paper, but looks like the researchers > > > have found that FIDO is indeed unphishable. Seems their attack relies > > > on websites allowing downgrade to weaker forms of 2FA. > > > > Yup. The thrust of the paper is: in the real world FIDO2 is usually > > deployed alongside older/weaker forms of 2FA, so an attacker can > > pretend to the victim that FIDO auth didn't work and convince them to > > try a weaker method instead, then phish that. > > > > Which is a reasonable point, but not necessarily relevant to us. We > > *could* require only strong auth and not have weaker fallback methods. > > So I have been thinking about this, how do you deal with the inevitable > fact that keys get lost or stop working if there is no alternative > authentication method? > > I guess people can enroll 2 separate keys (if Feodra Infra will allow > that), but not everyone has the means to do that. Same way you deal with people losing their passwords or current 2FA tokens: slowly and awkwardly. Basically, have a human deal with it, and establish as best they can that the person claiming they lost their tokens really is the person who ought to have them. Of course, if you do issue new tokens, send an alert about this to all known contact methods for the account, so if it *was* an Evil Person doing it, and the Evil Person hasn't also compromised all of those contact methods too, the Real Packager will know something funky has happened and - hopefully - reach out and get the account frozen again. The hardcore way is to say "welp, too bad, your account's gone, create a new one and start over, including going through the maintainer process again", but that might be a bit *too* hardcore. This is a perennial issue, though, and the weakest point of the whole FIDO2 concept overall, including in the way it's being promoted to a mass audience as password-less auth for everything. The official story is you should also enrol a backup phone or tablet or something that you keep at home, then if you lose your main phone, you can get into the system with the backup device, enrol a new main device, and unenrol the lost/stolen main device. But if you *aren't* rich enough to have spare phones/tablets lying around the place, or you just manage to lose both, the story is basically "you go into an Apple store or call up Google or Samsung etc. and somehow convince them you are you and they will then auth a new device onto your account". So, awkward squishy human processes again. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
