Dnia Fri, Mar 26, 2021 at 01:47:08PM -0700, Kevin Fenzi napisał(a):
> On Fri, Mar 26, 2021 at 09:34:49PM +0100, Tomasz Torcz wrote:
> > Dnia Fri, Mar 26, 2021 at 03:26:53PM -0500, Brandon Nielsen napisał(a):
> > > On 3/26/21 3:24 PM, Matthew Miller wrote:
> > > > On Fri, Mar 26, 2021 at 02:48:39PM -0400, Christopher wrote:
> > > [Snip]
> > > > > * In many places, including accounts.fedoraproject.org, in order to
> > > > > log in, you have to append the OTP to your password, so it doesn't
> > > > > really play nice with password managers.
> > > > 
> > > > This is pretty common in my experience; it seems like password managers
> > > > should support this pattern.
> > > > 
> > > 
> > > I can't say I have ever appended an OTP to a regular password, and I use 
> > > 2FA
> > > everywhere I can.
> > 
> >   I second that. I've only seen OTP appending on FreeIPA's
> > implementation of 2FA. Everywhere else it's first a normal password
> > prompt, then second for 2FA code (or push notification to phone, which
> > is way easier for user).
> 
> Notification via sms is... not too secure. ;( 
> https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber

  I didn't write SMS. SMS is terrible, it's the worst 2F channel nowadays.
I meant push notification, when the message is sent through secure channel
to your smart phone and you get popup asking for authorization.
At least:

- Google does that:
https://s3.amazonaws.com/neowin/news/images/uploaded/2017/07/1500141361_google_mobile_prompt.jpg

- Microsoft Suite (Teams, Outlook) on my corporate accounts:
https://techcommunity.microsoft.com/t5/image/serverpage/image-id/46536iDD69C684B52CC495

- My banking app (for login and transfer authorizations)
https://android.com.pl/apps/wp-content/uploads/2020/03/alior.jpg.webp

  This seem to be easiest and most secure 2FA, but requires cooperation
with Android framework.  Next in line are FIDO/Yubikeys, and OTP codes.

-- 
Tomasz Torcz                Only gods can safely risk perfection,
to...@pipebreaker.pl     it's a dangerous thing for a man.  — Alia
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to