Guinevere Larsen venit, vidit, dixit 2024-06-24 13:53:37: > On 6/24/24 5:08 AM, Miroslav Suchý wrote: > > Dne 24. 06. 24 v 9:48 dop. Mattia Verga via devel napsal(a): > >> IMO, having the token stored in your password manager means going > >> from 2FA to 1FA effectively ;-) if someone gets access to your > >> password manager vault, all accounts will be compromised. > > > > Only if you use the same password manager for both: password and OTP. > > > It still makes it 1FA. If all you need to get the OTP is know which > password managers the user uses, and what is the password for that > passowrd manager, OTP goes from being a "something you have" type of > authentication factor, to a "something you know" authentication factor, > which is the same factor as the password. Multi factor authentication is > not about steps, is about what you need to complete the authentication > challenge (something you know, something you have, or something you are).
Sure, and the "something you have" is access to the OTP device which in this case is the (token stored in the ) password manager's database. The password or passphrase which unlocks the password manager is nothing which you could provide as a "factor". Or else, all cloneable OTP apps would need to be disallowed as 2nd factors, and only physical tokens should count. Michael -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
