On Tue, 2022-09-06 at 16:47 +0000, Tommy Nguyen wrote: > On Tue, 2022-09-06 at 18:18 +0200, Vitaly Zaitsev via devel wrote: > > On 06/09/2022 17:00, Gary Buhrmaster wrote: > > > mobile device > > > > Requires proprietary Google services. > > > > > computer > > > > Requires proprietary TPM 2.0 chip. > > Hi, > > Neither of this is true. For example, I use Raivo on my iOS device > which isn't proprietary. > > It seems that your concerns regarding 2FA are based on a number of > misconceptions. > > 1. That it will cost money > > You can generate TOTP codes using password generators, desktop apps, or > even by hand in the command line. It's a simple algorithm that doesn't > even require an Internet connection. However, in order for it to truly > be 2FA, it should be on a separate device (i.e, your phone) though > generating it on the desktop is what people do if they have no external > device. > > 2. That the algorithm will pose problems in other countries > > I'm aware of ITAR and munitions exports, but I'm not convinced SHA1 and > HMAC poses as much of a problem as you say it does, even in > Russia/China. > > 3. That it requires specialized hardware > > Again, not true. See part 1. TOTP should work on any device regardless > of the underlying hardware so long as it supports basic cryptographic > primitives.
This section of the thread seems to be moving rather at cross-purposes. This was mcatanzaro's original proposal: "In the long run, we should be moving to require WebAuthn for all Fedora authentication-related purposes, since it's unphishable. Last year I entered my GitHub password into a phishing page that was proxying the real GitHub... if the evil page had gone to just slightly more effort, it could have easily intercepted a simple TOTP/HOTP challenge. This is not possible with WebAuthn, which I would say actually is pretty much equivalent to a security magic bullet." i.e. it was specifically about moving away from allowing "simple TOTP/HOTP" 2FA, as it is phishable, and requiring webauthn, of which Vitaly's points are I believe accurate. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
