On Thu, Jun 11, 2026 at 6:37 PM Simo Sorce <[email protected]> wrote:
> Except that there are people store their password *and* their sw > generated 2FA token in the same db/application making all of this > somewhat moot... Of course they do, which is why something like FIDO2 with onboard presence (touch) and fingerprint validation (part of the touch, but additional requirements), combined with a pin can mitigate against such (as you actually have three factors, something you have (the key and/or your device which has the FIDO2 key included), something you are (the fingerprint), and something you know (the pin). The authenticating party can specify which level of authentication is required (so some are fine with just the touch). Does that mean that someone will not create a software based fido2 key that fakes all the responses to "authed" to make things convenient for themselves? Of course not, but people doing such are just as likely to have their password be password (it is easy to remember), and I would claim that most Fedora contributors want to do the right thing, if it is not especially troublesome to do so. Unfortunately, Linux does not have (and will not have) a secure FIDO2 solution baked into the OS that Windows and macOS (and Android and iOS) has, so external keys are going to probably continue to be the primary way that Linux desktop would use such (which is less convenient). In any case, until noggin is improved, FIDO2 is not a valid solution for FAS. -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
