On Thu, 2026-06-11 at 14:37 -0400, Simo Sorce wrote:
> On Thu, 2026-06-11 at 08:34 -0700, Adam Williamson wrote:
> > Maybe we should make people use 2FA anyway. For two reasons:
> 
> Except that there are people store their password *and* their sw
> generated 2FA token in the same db/application making all of this
> somewhat moot...
> 
> sadly whenever you improve security you find someone that self-defeats
> it better.

2FA still defeats plenty of vectors in that scenario. Shoulder surfing
/ video capture, keyloggers, reused password compromised on some other
system - in all of those cases, the second factor triumphs, *even if
the user stores it in the very same place as the 'compromised'
password*. Because that place wasn't compromised.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected]
https://www.happyassassin.net



-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to