Re: Inactive packagers to be removed after the F37 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, 14 Sept 2022 at 18:36, Simo Sorce <simo@xxxxxxxxxx> wrote:
On Wed, 2022-09-14 at 15:11 -0700, Adam Williamson wrote:
> On Wed, 2022-09-14 at 10:25 -0500, Michael Catanzaro wrote:
> >
> > On Wed, Sep 14 2022 at 06:58:12 AM +0000, Tommy Nguyen
> > <remyabel@xxxxxxxxx> wrote:
> > > I'm not entirely convinced. See this paper:
> > > https://eprint.iacr.org/2020/1298.pdf
> >
> > I only read the abstract of this paper, but looks like the researchers
> > have found that FIDO is indeed unphishable. Seems their attack relies
> > on websites allowing downgrade to weaker forms of 2FA.
>
> Yup. The thrust of the paper is: in the real world FIDO2 is usually
> deployed alongside older/weaker forms of 2FA, so an attacker can
> pretend to the victim that FIDO auth didn't work and convince them to
> try a weaker method instead, then phish that.
>
> Which is a reasonable point, but not necessarily relevant to us. We
> *could* require only strong auth and not have weaker fallback methods.

So I have been thinking about this, how do you deal with the inevitable
fact that keys get lost or stop working if there is no alternative
authentication method?


Inevitable is usually about 4 to 5 emails a week to admin@xxxxxxxxxxxxxxxx from someone unable to log in and saying they lost their phone, token or other things. This is out of the couple hundred accounts currently with two factor enabled. 

 
I guess people can enroll 2 separate keys (if Feodra Infra will allow
that), but not everyone has the means to do that.


Basically the system would have to enforce that you have to have a GPG key and verify that the system can decode a message from the person. Then all that security is left to how many developers set their gpg password to '123456' or 'password1' and then upload their secret keys to public websites so it is convenient for them. From relevant experience with Fedora, that number is non-zero.

 

--
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux