On Wed, Feb 23, 2022 at 10:33:16AM +0100, Vitaly Zaitsev via devel wrote:
On 22/02/2022 12:33, Daniel P. Berrangé wrote:
> Given that the accounts system already supports these OTPs, what
> is the reason for not mandating this OTP based 2FA for*all*
> contributors today, as oppposed to merely infra people ?
I like it, but many Fedora contributors won't be happy. Google said that
only 10% of their users use OTP.
We need to fix Fedora's OTP implementation first. Sending password+CODE is
the worst idea, I ever seen. You can't even use a password manager to
auto-enter it.
My suggestions:
1. Change password entry dialog on
id.fedoraproject.org with
accounts.fedoraproject.org version (with a separate OTP field).
We have this change already done, but are waiting for a upstream ipsilon
release.
2. Kinit should ask for password and OTP code in different prompts
(check
how it works with SSH + OTP plugin).
This is being worked on by IPA folks.
kevin