2 factor authentication
Kevin Fenzi
kevin at scrye.com
Thu Sep 5 19:58:32 UTC 2013
On Thu, 5 Sep 2013 12:36:25 -0700
Toshio Kuratomi <a.badger at gmail.com> wrote:
> By another idea -- you mean unrelated, correct? If so, I'd think we
> might consider just sending email on any failed login attempt,
> password or 2fa.
>
> Successful password and failed 2fa would certainly be something to
> highlight more to the user, though --
>
> "If you did not attempt this failed login, you should consider your
> Fedora Account System Password Compromised. Please change it in the
> Account System and any other systems that you might be using it
> (contrary to best practices)"
I'd prefer to avoid email on failed password unless we had some rate
limiting. Otherwise it's a way to allow anyone to DOS your email box.
Also, if we send email to users we should point them to a wiki page/faq
about what to do or who to contact. Otherwise they will get confused.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130905/da72fcba/attachment.sig>
More information about the infrastructure
mailing list