Re: 2FA policy for provenpackagers is now active

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


24. kesäkuuta 2024 19.21.02 GMT+03:00 DJ Delorie <dj@xxxxxxxxxx> kirjoitti:
>Kilian Hanich <khanich.opensource@xxxxxx> writes:
>> So, if we really don't count the password manager file because it can be
>> copied easily, one also cannot count the ones from from apps since they
>> can also be easily replicated.
>
>I agree.  Hence "grudgingly accepted".

I wonder, as there seems to be significant variation on what different people consider true 2FA, should the policy also say something about the expectation on TOTP secret management? Or are we satisfied if proven packagers are able to generate TOTP by whatever means?

Personally, I have all my passwords AND all my TOTP in a single KeePassXC database that is replicated to devices where I need it. Previously, I had a separate app for TOTP, but I could not understand how having two databases with two passwords on my phone was increasing security, so I simplified. My understanding is that the only, but perhaps significant, gains here are that TOTP does not send its long-lived secret over the wire, and I cannot decide to reuse (a set of) secrets for more than one site. That is great, but not "multi factor", like this setup is usually called. Everything would be no less secure, and simpler for me, if I could just disable the traditional password for sites that accept TOTP.

I also have hard time believing that there is a significant fraction of people who do not ever log into their important sites from their phone. So in my opinion the "your phone is your second factor" idea does not fly.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux