On 9/13/22 21:37, Tommy Nguyen wrote:
On Tue, 2022-09-06 at 16:14 -0500, Jonathan Wright via devel wrote:
> On Tue, Sep 6, 2022 at 3:52 PM Vitaly Zaitsev via devel <
> devel(a)lists.fedoraproject.org> wrote:
>
>> On 06/09/2022 19:49, Michael Catanzaro wrote:
>>> Of course, hardware authenticators would be even more secure, and
>>> it
>>> sure seems pretty reasonable to expect that people with commit
>>> access to
>>> Fedora packages are able to purchase a $25 or 30€ security key
>>> [1][2].
I think most people would find it not reasonable for contributors to an
open source project to pay any amount of cash, even $25, to gain
packaging rights. That's tantamount to a membership or entrance fee.
While I think this discussion has gone off the rails, here are my
thoughts:
- Why such a focus on FIDO2? It seems that nobody has discussed any
alternatives. FIDO2 isn't even necessarily universally acclaimed in the
infosec space
Because FIDO2 is not phishable. TOTP and HOTP are. The only other
non-phishable authentication method is TLS client certificates and
I would be fine with those.
- Why such a focus on devices that cost money? I have 2FA enabled on
my
phone with a free open source TOTP app
Because there is no good software FIDO2 implementation. This can be
solved with a TPM-backed one, since almost every laptop has a TPM.
--
Sincerely,
Demi Marie Obenour (she/her/hers)