Thomas Goirand wrote on 26/04/2020: > On 4/25/20 11:14 PM, Bernd Zeimetz wrote: >> Actually I think 2FA should be enforced for everybody. >> Even debian.org related passwords might get lost. > > I use strong password, stored with keepassxc, with the password db > encrypted using the HMAC of my yubikey. In what way is this not safe > enough already? 2FA will add nothing in my case, just more annoyance.
It's still one static shared secret you need to enter every time. If it gets stolen, because your browser or your computer is compromised, or in a MITM attack where the attacker gained access to a valid certificate for salsa.debian.org [1,2], your account is gone. It gets much, much more difficult with 2FA. The amount of annoyance added by the GitLab 2FA is extremely limited, and implements *the* standard for web 2FA (webauthn). Personally I'd like to see it required to get the DD status on salsa, or at least to all whole Debian team. In general, we are switching from the cumbersome client certificate approach of sso.debian.org to plain passwords. This doesn't sound right to me. I think that with the tools we already have 2FA is as near as we can get to the sweet spot of usability vs. security. Paride [1] https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise [2] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack, mostly to say that state backed attacks to the CA trust model do exist.