Re: Preventing account takeovers through expired domains
On 22/02/2022 12:33, Daniel P. Berrangé wrote:
Given that the accounts system already supports these OTPs, what
is the reason for not mandating this OTP based 2FA for*all*
contributors today, as oppposed to merely infra people ?
I like it, but many Fedora contributors won't be happy. Google said that
only 10% of their users use OTP.
We need to fix Fedora's OTP implementation first. Sending password+CODE
is the worst idea, I ever seen. You can't even use a password manager to
auto-enter it.
My suggestions:
1. Change password entry dialog on id.fedoraproject.org with
accounts.fedoraproject.org version (with a separate OTP field).
2. Kinit should ask for password and OTP code in different prompts
(check how it works with SSH + OTP plugin).
--
Sincerely,
Vitaly Zaitsev (vitaly(a)easycoding.org)