On Fri, Mar 26, 2021 at 09:34:49PM +0100, Tomasz Torcz wrote:
> Dnia Fri, Mar 26, 2021 at 03:26:53PM -0500, Brandon Nielsen napisał(a):
> > On 3/26/21 3:24 PM, Matthew Miller wrote:
> > > On Fri, Mar 26, 2021 at 02:48:39PM -0400, Christopher wrote:
> > [Snip]
> > > > * In many places, including accounts.fedoraproject.org, in order to
> > > > log in, you have to append the OTP to your password, so it doesn't
> > > > really play nice with password managers.
> > >
> > > This is pretty common in my experience; it seems like password managers
> > > should support this pattern.
> > >
> >
> > I can't say I have ever appended an OTP to a regular password, and I use 2FA
> > everywhere I can.
>
> I second that. I've only seen OTP appending on FreeIPA's
> implementation of 2FA. Everywhere else it's first a normal password
> prompt, then second for 2FA code (or push notification to phone, which
> is way easier for user).
Notification via sms is... not too secure. ;(
Not counting the insecurity.. it was also expensive to run. Each send cost money and the software to do so was not opensource when we looked at it a while ago.