2 factor authentication

Toshio Kuratomi a.badger at gmail.com
Thu Sep 5 19:36:25 UTC 2013 

On Thu, Sep 05, 2013 at 08:25:30PM +0100, Tristan Santore wrote:
> On 05/09/13 20:22, Toshio Kuratomi wrote:
> > On Thu, Sep 05, 2013 at 08:57:33PM +0200, Till Maas wrote:
> >> On Thu, Sep 05, 2013 at 12:01:35PM -0500, Ian Weller wrote:
> >> 
> >>> This is the same for a form that asks for password + token
> >>> code, but a simple password + token code field raises too many
> >>> questions for someone who is logging in to an application and
> >>> has no idea what a token code is.
> >> 
> >> IMHO it would be nice if the password field can be used to enter
> >> both password and token code at once to make login less annoying
> >> for 2fa users and therefore more likely that it is used.
> >> 
> > At least on the backend that will need to be supported.  There are
> > cases where we'll want to run applications that we don't write
> > ourselves that only have a single field for password.  For those
> > situations, the backend will have to be able to handle parsing a
> > single password field for a combined password+2fa.
> > 
> > I don't know if that needs to be expressed on the frontend but if
> > it's useful we might as well.
> > 
> > -Toshio
> > 
> > 
> > 
> > _______________________________________________ infrastructure
> > mailing list infrastructure at lists.fedoraproject.org 
> > https://admin.fedoraproject.org/mailman/listinfo/infrastructure
> > 
> I have another idea. Could we not do a password check, and if the
> password is correct, provide the 2fa interface, if then a user does
> not enter the 2fa, an email is send to the actual user informing of a
> failed login attempt, with the date and time and maybe IP ?
> 
> Does this sound more secure to anyone else ?
> 
By another idea -- you mean unrelated, correct?  If so, I'd think we might
consider just sending email on any failed login attempt, password or 2fa.

Successful password and failed 2fa would certainly be something to highlight
more to the user, though --

"If you did not attempt this failed login, you should consider your Fedora
Account System Password Compromised.  Please change it in the Account System
and any other systems that you might be using it (contrary to best
practices)"

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130905/d45a2f18/attachment.sig>

More information about the infrastructure mailing list