On Thu, 2026-06-11 at 14:37 -0400, Simo Sorce wrote: > On Thu, 2026-06-11 at 08:34 -0700, Adam Williamson wrote: > > Maybe we should make people use 2FA anyway. For two reasons: > > Except that there are people store their password *and* their sw > generated 2FA token in the same db/application making all of this > somewhat moot... > > sadly whenever you improve security you find someone that self-defeats > it better.
2FA still defeats plenty of vectors in that scenario. Shoulder surfing / video capture, keyloggers, reused password compromised on some other system - in all of those cases, the second factor triumphs, *even if the user stores it in the very same place as the 'compromised' password*. Because that place wasn't compromised. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] https://www.happyassassin.net -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
