Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I was hesitant to have MFA for a while. Imagine losing a phone with tons of tokens. What a hassle to recover from that. I found it less than ideal for practical reasons.

However, I decided instead to buy two Yubikey (primary and backup), and I add the QRs to both of them with the Yubico App. I also screenshot my QRs, tar them, encrypt them with openssl and gpg, and upload them to two cloud locations also protected by MFA, and remove them from my computer. I repeat that when I add a new QR. I also have a txt together with the encrypted tars documenting the commands used to encrypt/decrypt so I remember the parameters to use. The reason I do that is to be able to load them into a new Yubikey in case I lose one.

There are alternative to Yubikeys if they are too expensive for some. I do find them a good investment in general, though. I found having Yubikeys (at least two), or other similar devices cheaper than phones, to be the most practical way to do MFA. You can even use those same Yubikeys to unlock hard drives (luks), and go passwordless for some applications.

On 4/11/24 17:09, Gary Buhrmaster wrote:
On Mon, Apr 1, 2024 at 1:10 AM Kilian Hanich via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

2FA in a lot of cases is just access to a different account (e.g. email
or even SMS) and these normally aren't unique. Sure, there are other
ways like FIDO2, but these are not necessarily used (or liked, quite
frankly I know a lot of people who would loose them on a monthly basis,
but still are quite smart about other stuff).

Given that FIDO2 credentials can be stored
on your mobile device (and exchanged with
other devices), if those people are losing their
mobile devices every month they likely have
other issues (including a very expensive
mobile device replacement budget) for which
there is likely no viable solution.

FAS' use of TOTP 2FA is not a great solution
compared to FIDO2, and there are well known
attacks against TOTP 2FA, but even TOTP
2FA can reduce the doorknob rattling exploits.
As TOTP 2FA generators exist for most
mobile devices one will tend to have a
TOTP 2FA generator with one most of the
time.


To the Fedora leadership:

What is the best way to formally propose
that 2FA is required for packagers after
some date (I suppose we could have
different dates for PPs vs others if we
wanted to do that in order to get started
sooner).  Do we need a formal Change
Proposal to be voted on by someone?
It does not really seem like a FESCo
issue to me, but more of a policy issue
that might need to go to the Council?
I have no doubt that such a proposal
will be controversial with some, and
all those issues should get a (re-)airing
in front of those making the decision.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux