On Sun, Sep 4, 2022 at 3:52 PM Adam Williamson
<adamwill(a)fedoraproject.org> wrote:
Well, not really. 2FA isn't a magic bullet. I would be in favor
of
doing this, but you can't treat any security measure as solving all
your problems completely.
Nothing is a magic bullet (and most security can be bypassed
with the $10 (it was $5 before inflationary increase) wrench)
but passkeys (which can eliminate passwords entirely) do
tend to raise the bar substantially, and those services doing
authorization can require additional levels of real time identity
assurance for additional levels of access (so inserting a
usb token, or having your phone nearby, might let you login,
but you need to provide additional something (pin, biometrics,
whatever) to access things at a higher level at the time
you require that (say, for this case, using PP powers)).
However, last this was discussed, the Fedora AAA system(s)
did not (yet?) support the full fido2/webauthn/passkey
functionality, so at this time such full integration is just a
dream(*).
(*) Given that all the major tech companies are moving towards
allowing (and will be encouraging) customers to use passkeys
I hope we will see better integrations with FreeIPA and Ipsilon
at some point.