V Wed, Sep 07, 2022 at 07:51:15AM -0400, Stephen Smoogen napsal(a):
On Wed, 7 Sept 2022 at 02:53, Adam Williamson
<adamwill(a)fedoraproject.org>
wrote:
> On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote:
> > On 06/09/2022 23:14, Jonathan Wright wrote:
> > > Fedora must be looked at as more than just a "hobby project"
even
> though
> > > it is a hobby for some.
> >
> > There are many casual maintainers who maintain one or two packages. We
> > shouldn't force them to leave Fedora.
> >
> > > It's an OS that many rely on and $25 is a somewhat trivial cost for
> improved security.
> >
> > There are many contributors from countries where $25 is a lot. We
> > shouldn't set up financial barriers. This is a dead end.
>
> I think we kind of have two competing factors here, and it's not much
> use Camp A saying "FACTOR A IS IMPORTANT!" and Camp B saying "NO
FACTOR
> B IS IMPORTANT!" and that just going round in circles.
>
> On the one hand, Fedora is not just a hobby project. It's an important
> upstream in the F/OSS ecosystem. Very important downstreams like
> CentOS, RHEL, Amazon Linux and others are built out of it. It's
> absolutely an attractive target for a supply chain attack. We have an
> ethical responsibility to the F/OSS community to harden ourselves
> against such attacks, and FIDO2 auth would be a good way to do that.
>
>
So I think all this focusing on FIDO2 as a requirement is the problem. We
are looking at least 2-3 years before Fedora Infrastructure could actually
support it at scale. This is not just technical support, but needing
people to actually handle the problems. We have a hard enough handling OTP
tokens that people put in and then immediately lose so can't log in or
change their accounts. Dealing with 100 developers who only put one token
on their system and then promptly lose it after going for a jog etc is
going to be a nightmare. [I had to support scientists with one time tokens
before, and it is a constant 'I lost my token and I need to be verified
that I am who I am. Can I get a new token?' etc.]
So I am going to say I am in agreement with Vitaly that FIDO2 is not a
solution we could support at this time. At most we could support HOTP via
yubikey but we would need to be able to make sure
1. That we have some sort of '5 codes which can be used in case of
emergency'. These are printed on a screen and that is it.
2. We make sure that people have 2 additional devices attached before OTP
is 'enabled'.
Otherwise this is going to end in tears even before we tried to get 'FIDO2'
set up.
Do people lose their tokens more often than forget their passwords?
How do we deal with a forgotten password now
<
https://accounts.fedoraproject.org/forgot-password/ask>?
Do we have to strenghten an authenticiation reset with the advent of tokens?
I'm asking because to me it seems that the problem as you painted it is not
about having a token but about resetting authentication credentials.
Shouldn't we instead start with strengthening the credentials reset even for
password-only authentication? I.e. disallowing the reset. Or enabling having
multiple passwords.
-- Petr