Bernd Zeimetz <be...@bzed.de> writes:
> On 4/25/20 10:05 PM, IOhannes m zmölnig (Debian/GNU) wrote: >> On 4/25/20 8:34 PM, Bernd Zeimetz wrote: >>> Hi, >>> >>> https://docs.gitlab.com/ee/security/two_factor_authentication.html >>> >>> Enforce that (if Salsa is doing that in the meantime, ignore me). >> >> i hope you don't suggest to enforce 2FA system-wide for all users of salsa. >> i read you original mail as a requirement to enforce 2FA for users who >> want to use salsa as an authentication provider for their own >> applications (which is fine with me) > > > Actually I think 2FA should be enforced for everybody. > Even debian.org related passwords might get lost. Right, but what's the threat model here? For some of us, losing the Salsa password is essentially only possible if we have had our PGP dongle or offline private key backup compromised. In this case, the attacker can sign uploads to the archive anyway, which is arguably more serious than a compromised Salsa account. -- Gard