On Sun, Mar 31, 2024 at 07:42:24AM -0400, Neal Gompa wrote: > > At this point, I'm used to MFA for stuff (and I use a password manager > that handles 2FA OTPs too), but the Fedora implementation of MFA is > uniquely bad because we have to do a lot in the terminal, and our MFA > implementation sucks for terminal usage. > > If MFA is turned on: > > 1. The Fedora account integration in GNOME breaks To clarify, goa cannot get a new token for you, but once you have gotten one with your otp, it will renew it for you until it's renewal time is over. > 2. You need to concatenate password and OTP for getting a krb5 session ticket Yep. I think this is being worked on... > 3. The recovery mechanism involves GPG signed emails Yep. Or... you can enroll multiple otps. You only need one to be working. You can enroll more and keep backup ones. > The experience using 2FA for Fedora accounts is sufficiently > unpleasant that I really don't want to use it. :( kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
