On Wed, 2022-09-07 at 14:26 +0200, Petr Pisar wrote:
> So I am going to say I am in agreement with Vitaly that FIDO2
is
> not a
> solution we could support at this time. At most we could support
> HOTP via
> yubikey but we would need to be able to make sure
> 1. That we have some sort of '5 codes which can be used in case of
> emergency'. These are printed on a screen and that is it.
> 2. We make sure that people have 2 additional devices attached
> before OTP
> is 'enabled'.
>
> Otherwise this is going to end in tears even before we tried to get
> 'FIDO2'
> set up.
>
Do people lose their tokens more often than forget their passwords?
How do we deal with a forgotten password now
<
https://accounts.fedoraproject.org/forgot-password/ask>?
Do we have to strenghten an authenticiation reset with the advent of
tokens?
I'm asking because to me it seems that the problem as you painted it
is not
about having a token but about resetting authentication credentials.
Shouldn't we instead start with strengthening the credentials reset
even for
password-only authentication? I.e. disallowing the reset. Or enabling
having
multiple passwords.
-- Petr
The security is only as strong as the weakest link. Often times this is
the password or the password reset password. For example, 2FA via SMS
is deprecated, yet some websites allow you to fallback to SMS if you do
not have TOTP available. This is more convenient for users, but
horribly insecure (an attacker can just fallback to the more insecure
option since it's available). The most secure option is to ONLY allow
TOTP, for example, and once it's enabled, lock the user out if they
lose access to their device. Typically companies will verify a user's
identify if they need to reset their 2FA (technically insecure due to
social engineering attacks, which is a problem as of recent). Given
that Fedora is a community project, it may be more feasible to verify
someone's identity than some random corporate support desk, but still
suspectible to social engineering.
Anyway, users are always going to forget their passwords, lose their
devices and want an easy way back in, but making the security weak to
accomodate this just trains bad behaviors I think.