On Wed, Aug 24, 2022 at 09:12:23PM +0100, Marcin Kulisz wrote: > On 2022-08-23 22:55:27, Ross Vandegrift wrote: > > On Fri, Aug 12, 2022 at 05:37:33PM +0100, Marcin Kulisz wrote: > > snip > > > > My take on the latter would be that one of the delegates if we'd have a > > > chair > > > would be holding MFA to this account and this would be passed along this > > > line to > > > the next one and it should be an obligation of the chair to do it be. > > > > > > I would nominate Ross as the person usually charring our meetings. > > > > > > Any other ideas or suggestions how to do it? > > > > Bastian suggested storing it in the password repo [1]. I like that since it > > supports providing access to multiple people via their gpg keys. I don't > > quite > > understand how to use pwstore, but the idea seems simple enough. > > From my PoV this is not about passwords but more about MFA which IMO we should > have on the root account and I don't think that password repo will help in > this > situation. > > Even if we're not going to use it at all and all will be done via individual > accounts we need to take proper measures to secure it and IMO MFA is a basic > measure to take hence my question still stands: how are we going to do it?
The idea was to treat the OTP secret like another password - it's a string, and you could use it with e.g. python3-pyotp to get a token. But this does undermine the "multi-factor" part, and leaves the reset issue that Bastian raised. Ross
