Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Kevin,

On Sun, Mar 31, 2024, at 7:31 PM, Kevin Kofler via devel wrote:
> Adam Williamson wrote:
>> Do we require 2FA for provenpackager yet?
>
> No. I am a provenpackager and do not have 2FA enabled (nor do I want it to 
> be).
>
>> People would say, justifiably so, that it was absolutely unacceptable for
>> us to be allowing single-factor authentication for contributors to a
>> general-purpose operating system in 2024. It is.
>
> This is nonsense propaganda. Most 2FA implementations cannot even guarantee 
> that the second factor is not stored right next to the first factor. Open 
> standards that do not depend on commercial hardware or telecommunication 
> operators, such as TOTP, cannot guarantee it by design. Any 2FA app that 
> works on my PinePhone is also going to work directly on my computer, so you 
> have no way to enforce that I use a different device for the second factor.
>
> 2FA is pointless security theater that just makes it a pain to contribute, 
> when we are all this time talking about lowering, not rising, the barrier to 
> entry.

I don't quite agree with you. Two factor authentication whether an actual second
factor device or not does prevent credential stuffing which is a common attack
method that is easy to perform. It is when people take databases of previously leaked
passwords and try them on other accounts that belong to the same person. Since two
factors are generally unique per login situation they can't be stuffed in the same way.

Of course there are many things two factor does not protect against.

Regards,

Simon
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux