On 6/24/24 10:27 AM, Michael J Gruber wrote:
Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37:
On 6/24/24 5:08 AM, Miroslav Suchý wrote:
Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a):
IMO, having the token stored in your password manager means going
from 2FA to 1FA effectively ;-) if someone gets access to your
password manager vault, all accounts will be compromised.
Only if you use the same password manager for both: password and OTP.
It still makes it 1FA. If all you need to get the OTP is know which
password managers the user uses, and what is the password for that
passowrd manager, OTP goes from being a "something you have" type of
authentication factor, to a "something you know" authentication factor,
which is the same factor as the password. Multi factor authentication is
not about steps, is about what you need to complete the authentication
challenge (something you know, something you have, or something you are).
Sure, and the "something you have" is access to the OTP device which in
this case is the (token stored in the ) password manager's database.
if you can count "something you have" like "having access to a
database", then I have access to the knowledge of my password and it is
still just 1FA. In fact, I also have my thumb, so fingerprint is also
"something I have" and there is only one true true authentication method
going by this definition.
That's not how security factors work. Something you have must be a
physical thing. that's why you're supposed to put your OTP 2FA generator
on a different device from where you access the things you access.
The password or passphrase which unlocks the password manager is nothing
which you could provide as a "factor".
Or else, all cloneable OTP apps would need to be disallowed as 2nd
factors, and only physical tokens should count.
Well... yes. If we go by the strictest definition of a physical
authentication factor, if you can clone the physical thing without
having physical access to it, you're in trouble. That's why you
shouldn't save your private SSH/GPG keys in any old cloud out there for
instance. if you have a backup, it should be one that's physically
accessible to you and only you at all times.
Now, as Stephen mentioned, compromises are made because security has to
work in real life. Backups are more important than ideal security, but
people should be aware of when they are deliberately breaking designed
security for the convenience, and IMO, adding OTP generation to a cloud
database accessible on any device is way beyond a reasonable compromise
to use 2FA. You're as free to think it isn't too far for you as you are
free to use "Password1" for any online account.
--
Cheers,
Guinevere Larsen
She/Her/Hers
Michael
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
