On Sun, Mar 31, 2024 at 07:42:24AM -0400, Neal Gompa wrote:
At this point, I'm used to MFA for stuff (and I use a password manager
that handles 2FA OTPs too), but the Fedora implementation of MFA is
uniquely bad because we have to do a lot in the terminal, and our MFA
implementation sucks for terminal usage.
If MFA is turned on:
1. The Fedora account integration in GNOME breaks
To clarify, goa cannot get a new token for you, but once you have gotten
one with your otp, it will renew it for you until it's renewal time is
over.
2. You need to concatenate password and OTP for getting a krb5
session ticket
Yep. I think this is being worked on...
3. The recovery mechanism involves GPG signed emails
Yep. Or... you can enroll multiple otps. You only need one to be
working. You can enroll more and keep backup ones.
The experience using 2FA for Fedora accounts is sufficiently
unpleasant that I really don't want to use it.
:(
kevin