Re: 2FA policy for provenpackagers is now active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 24.06.24 um 17:51 schrieb DJ Delorie:

Kilian Hanich via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> writes:

One could argue that the "password manager file" is the "something you
have" thing.


No, one cannot.  The three factors in security are:

1. Something you know, which means other people do NOT know it.  It
    exists in your brain and nowhere else.

2. Something you have, which means nobody else can also have it.  It can
    be held in your hand or stolen but there are not two of them.

3. Something you are, like your retina, fingerprints, DNA, weight, etc.
    Something that another person cannot "be".


Putting 2FA on your phone is grudgingly accepted because your phone is
"something you have".  You don't "have" the app, you "have" the phone.
You can't share your phone with someone else, and you'll notice if your
phone is stolen.

The "password manager file" can be copied, so it can't be "something you
have" because someone else could have a copy too.  The password for that
file might be "something you know" though, and the file might exist on
"something you own", but the file itself isn't a security factor.



All OTP apps I know of can replicate their stuff to other devices (which
can be your Laptop), some of which without deactivating the currently
active one (it's often just showing a QR code another phone can scan).

That is pretty much just like copying a file around (although I tad bit
more annoying, but not by much).

So, if we really don't count the password manager file because it can be
copied easily, one also cannot count the ones from from apps since they
can also be easily replicated.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux