On Sat, Apr 13, 2024 at 8:44 AM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > I sometimes think how hard it would be to explain all of this to my > mother. I don't understand why 2FA needs to be so obscure and clumsy > to use. FIDO2 (Apple branded[0] as "passkeys") is not that hard to use, or explain. The problem is that (a) passkeys are not yet universally supported (and, in this case specifically, by FAS[1]), and (b) unlike Apple (macOS, iOS, etc.), Microsoft (Windows), and Android, where the passkey is integrated into the OS inside a protected enclave, there is no trusted integrated support in Linux without an external FIDO2 key[2][3] or using the "scan a QR code" workaround with a mobile device which does support use of passkeys. Unless your mother is using Linux (and while Mrs. Roberts has been using Linux for a long time, most moms don't), this is likely a time limited issue as more and more sites support passkeys and from the consumer point of view it all mostly just works. I would like to imagine that FAS' current 2FA will eventually also be reasonably easy with FIDO2/passkeys, which is why I occasionally ask about the FIDO2 support status. [0] I don't remember if there was any official assignment of the branding, but I heard that Apple was the org that suggested the name. [1] As I understand it, if/when some of the FAS IdP moves to keycloak, FIDO2 2FA *could* be supported. However, there is no current schedule for that move that I am aware of, and unless Fedora uses the RHBK runtime, building keycloak from source for Fedora can be a real PITA (at least last I looked at it, maybe it has gotten easier). [2] As I understand it, the issue is the lack of the required trusted environment in generic Linux. There are software implementations that do not have the hardware enclave protections, [3] External FIDO2 keys are also not free, although I did see a $10 Adafruit FIDO2 key, which is the cheapest I have seen. -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
