On Wed, 2022-09-14 at 10:25 -0500, Michael Catanzaro wrote: > > On Wed, Sep 14 2022 at 06:58:12 AM +0000, Tommy Nguyen > <remya...@gmail.com> wrote: > > I'm not entirely convinced. See this paper: > > https://eprint.iacr.org/2020/1298.pdf > > I only read the abstract of this paper, but looks like the researchers > have found that FIDO is indeed unphishable. Seems their attack relies > on websites allowing downgrade to weaker forms of 2FA.
Yup. The thrust of the paper is: in the real world FIDO2 is usually deployed alongside older/weaker forms of 2FA, so an attacker can pretend to the victim that FIDO auth didn't work and convince them to try a weaker method instead, then phish that. Which is a reasonable point, but not necessarily relevant to us. We *could* require only strong auth and not have weaker fallback methods. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
