Re: 2FA policy for provenpackagers is now active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/24/24 10:27 AM, Michael J Gruber wrote:
Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37:
On 6/24/24 5:08 AM, Miroslav Suchý wrote:
Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
IMO, having the token stored in your password manager means going
from 2FA to 1FA effectively ;-) if someone gets access to your
password manager vault, all accounts will be compromised.
Only if you use the same password manager for both: password and OTP.

It still makes it 1FA. If all you need to get the OTP is know which
password managers the user uses, and what is the password for that
passowrd manager, OTP goes from being a "something you have" type of
authentication factor, to a "something you know" authentication factor,
which is the same factor as the password. Multi factor authentication is
not about steps, is about what you need to complete the authentication
challenge (something you know, something you have, or something you are).
Sure, and the "something you have" is access to the OTP device which in
this case is the (token stored in the ) password manager's database.

if you can count "something you have" like "having access to a database", then I have access to the knowledge of my password and it is still just 1FA. In fact, I also have my thumb, so fingerprint is also "something I have" and there is only one true true authentication method going by this definition.

That's not how security factors work. Something you have must be a physical thing. that's why you're supposed to put your OTP 2FA generator on a different device from where you access the things you access.


The password or passphrase which unlocks the password manager is nothing
which you could provide as a "factor".

Or else, all cloneable OTP apps would need to be disallowed as 2nd
factors, and only physical tokens should count.

Well... yes. If we go by the strictest definition of a physical authentication factor, if you can clone the physical thing without having physical access to it, you're in trouble. That's why you shouldn't save your private SSH/GPG keys in any old cloud out there for instance. if you have a backup, it should be one that's physically accessible to you and only you at all times.

Now, as Stephen mentioned, compromises are made because security has to work in real life. Backups are more important than ideal security, but people should be aware of when they are deliberately breaking designed security for the convenience, and IMO, adding OTP generation to a cloud database accessible on any device is way beyond a reasonable compromise to use 2FA. You're as free to think it isn't too far for you as you are free to use "Password1" for any online account.

--
Cheers,
Guinevere Larsen
She/Her/Hers


Michael

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux