On 2/21/22 14:16, Vitaly Zaitsev via devel wrote: > On 21/02/2022 19:25, Demi Marie Obenour wrote: >> FIDO keys are significantly more secure than OTPs, and FAS should get >> support for them. OTPs are still phishable, whereas FIDO2 generally >> isn’t. > > OTP is absolutely free. FIDO2 requires the purchase of a special > hardware token.
One must remember that anyone in the packagers group can (with a modicum of effort) get code execution on a huge number of machines, and is thus an incredibly attractive target for phishing attacks. Developing a roadmap to encourage, and eventually require, the use of hardware authenticators to submit packages is a reasonable precaution in this threat environment. A hardware authenticator could be a FIDO2 token, smart card, etc. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
