On Sun, Sep 4 2022 at 04:48:10 PM +0000, Gary Buhrmaster gary.buhrmaster@gmail.com wrote:
However, last this was discussed, the Fedora AAA system(s) did not (yet?) support the full fido2/webauthn/passkey functionality, so at this time such full integration is just a dream(*).
You don't have to be a provenpackager to be able to do serious damage; you just need to maintain one package that's installed by a sufficiently-interesting quantity of Fedora users. In the long run, we should be moving to require WebAuthn for all Fedora authentication-related purposes, since it's unphishable. Last year I entered my GitHub password into a phishing page that was proxying the real GitHub... if the evil page had gone to just slightly more effort, it could have easily intercepted a simple TOTP/HOTP challenge. This is not possible with WebAuthn, which I would say actually is pretty much equivalent to a security magic bullet.
That said, I say this keenly aware that WebKitGTK doesn't support WebAuthn yet, and I would be interacting with Fedora packaging a lot less if I couldn't use my normal web browser. And anybody who isn't willing to buy a security key wouldn't be able to contribute to Fedora at all.
Michael