On 2/21/22 14:16, Vitaly Zaitsev via devel wrote:
On 21/02/2022 19:25, Demi Marie Obenour wrote:
> FIDO keys are significantly more secure than OTPs, and FAS should get
> support for them. OTPs are still phishable, whereas FIDO2 generally
> isn’t.
OTP is absolutely free. FIDO2 requires the purchase of a special
hardware token.
One must remember that anyone in the packagers group can (with a
modicum of effort) get code execution on a huge number of machines,
and is thus an incredibly attractive target for phishing attacks.
Developing a roadmap to encourage, and eventually require, the use of
hardware authenticators to submit packages is a reasonable precaution
in this threat environment. A hardware authenticator could be a FIDO2
token, smart card, etc.
--
Sincerely,
Demi Marie Obenour (she/her/hers)