On Thu, Apr 08, 2021 at 12:41:43PM -0700, Kevin Fenzi wrote:
so tons of people are playing around with them. A number of folks
are
not able to properly save their token, or run into problems adding it
and need to have that token removed so they can try again. Many of these
are new users that don't have a gpg key set in their account. We have
been getting a lot of these of late. ;(
Or some of them are, like, project leaders who also make mistakes. :)
* Could we require someone enter their password + token before
accepting
the token? ie, they try and enroll, ipa adds it, they have to verify, if
they can't, it's removed?
This is _very_ common in other implementations.
* Could we add 'recovery codes' so if someone enrolls and
it's
wrong/broken, they could use a code to login and add a new token and
remove the old broken one?
Likewise!
* Could we perhaps make a 'dev' noggin that people could test
with and
wipe all accounts from every day or something? Then ask people to test
there if they are unsure how to add otp
We probably _should_ have this for other reasons, but I don't think it's a
good solution to this problem. It adds complexity while still not
guaranteeing that what's done on the production instance will work.
* Could we 'hide' the otp setup until you have X groups or
something?
While this might help some people... ....... ..... .
2. How can we verify identity on people who request the removal of
their
last otp? Do we just tell them to make a new account?
Random ideas:
* If they are not in any groups, how about we just reset based on email?
* Or perhaps if they are not in any sysadmin* groups?
I think packager groups should also not be reset just based on email.
* If they are Red Hat employees we can use the internal verify thing
Yes. Is there a way we could extend something similar to non-RHers?
* We could use gpg signed email if there is a gpg key assigned to
the
account.
* Could we use ssh key to verify them?
That at least increases the barrier to impersonation.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader