Yubikey single-factor authentication disabled
Kevin Fenzi
kevin at scrye.com
Thu Mar 7 15:35:29 UTC 2013
On Thu, 7 Mar 2013 07:09:13 +0000
Clive Hills <discordianuk at gmail.com> wrote:
> I suppose I have to bite and ask why yubikey is regarded as
> single-factor? I guess it isn't something I know as well as something
> I have?
The way we had yubikeys deployed before (and what this thread is
talking about) was single factor. You needed only your login/account
name and the yubikey to login. While your login is indeed "something
you know" it's not something that _only_ you know, it's something that
anyone can trivially find out. The "something you know" in 2 factor
auth has to be a secret only you know. ;)
We are currently using yubikeys in a real 2 factor way in Fedora
infrastructure, but thats something only folks with shell access and
sudo access see right now. They have to enter password + yubikey (or
google authenticator code) to sudo.
We do hope to roll out more uses for 2 factor to web applications or
other places, but we have not yet had time to do so. Also, I want to
make sure when we do it's not a burden to contributors.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130307/1f4b5b9a/attachment.sig>
More information about the devel
mailing list