On ti, 06 syys 2022, Adam Williamson wrote:
On Tue, 2022-09-06 at 16:47 +0000, Tommy Nguyen wrote:
> On Tue, 2022-09-06 at 18:18 +0200, Vitaly Zaitsev via devel wrote:
> > On 06/09/2022 17:00, Gary Buhrmaster wrote:
> > > mobile device
> >
> > Requires proprietary Google services.
> >
> > > computer
> >
> > Requires proprietary TPM 2.0 chip.
>
> Hi,
>
> Neither of this is true. For example, I use Raivo on my iOS device
> which isn't proprietary.
>
> It seems that your concerns regarding 2FA are based on a number of
> misconceptions.
>
> 1. That it will cost money
>
> You can generate TOTP codes using password generators, desktop apps, or
> even by hand in the command line. It's a simple algorithm that doesn't
> even require an Internet connection. However, in order for it to truly
> be 2FA, it should be on a separate device (i.e, your phone) though
> generating it on the desktop is what people do if they have no external
> device.
>
> 2. That the algorithm will pose problems in other countries
>
> I'm aware of ITAR and munitions exports, but I'm not convinced SHA1 and
> HMAC poses as much of a problem as you say it does, even in
> Russia/China.
>
> 3. That it requires specialized hardware
>
> Again, not true. See part 1. TOTP should work on any device regardless
> of the underlying hardware so long as it supports basic cryptographic
> primitives.
This section of the thread seems to be moving rather at cross-purposes.
This was mcatanzaro's original proposal:
"In the long run, we should be moving to require WebAuthn for all
Fedora authentication-related purposes, since it's unphishable. Last
year I entered my GitHub password into a phishing page that was
proxying the real GitHub... if the evil page had gone to just slightly
more effort, it could have easily intercepted a simple TOTP/HOTP
challenge. This is not possible with WebAuthn, which I would say
actually is pretty much equivalent to a security magic bullet."
i.e. it was specifically about moving away from allowing "simple
TOTP/HOTP" 2FA, as it is phishable, and requiring webauthn, of which
Vitaly's points are I believe accurate.
Yep. We are not there yet with regards to this use case being
implemented in Fedora AAA but our goal is to provide an infrastructure
in Fedora 38 for Kerberos and local system integration, hopefully.
Looking at hardware products, a cheapest FIDO2 authenticator I know
about is a Token2 T2F2 FIDO2 and U2F Security Key (10.00 EUR per key
plus shipping costs)[1]. I am in contact with Token2 to see if we can
test this hardware in our SSSD/FreeIPA development.
Google's OpenSK platform is something people already tried to turn into
a FIDO2 virtual authenticator -- see [2] for example of integrating with
QEMU. This is far from being complete and user-friendly.
[1]
https://www.token2.eu/shop/product/token2-t2f2-fido2-and-u2f-security-key
[2]
https://github.com/google/OpenSK/issues/485
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland