On Thu, Jun 11, 2026 at 6:37 PM Simo Sorce <[email protected]> wrote:

> Except that there are people store their password *and* their sw
> generated 2FA token in the same db/application making all of this
> somewhat moot...

Of course they do, which is why something like
FIDO2 with onboard presence (touch) and
fingerprint validation (part of the touch, but
additional requirements), combined with a
pin can mitigate against such (as you actually
have three factors, something you have (the
key and/or your device which has the FIDO2
key included), something you are (the
fingerprint), and something you know (the
pin).  The authenticating party can specify
which level of authentication is required
(so some are fine with just the touch).

Does that mean that someone will not create
a software based fido2 key that fakes all
the responses to "authed" to make things
convenient for themselves?  Of course
not, but people doing such are just as
likely to have their password be password
(it is easy to remember), and I would claim
that most Fedora contributors want to do
the right thing, if it is not especially
troublesome to do so.

Unfortunately, Linux does not have
(and will not have) a secure FIDO2
solution baked into the OS that Windows
and macOS (and Android and iOS) has,
so external keys are going to probably
continue to be the primary way that Linux
desktop would use such (which is less
convenient).

In any case, until noggin is improved,
FIDO2 is not a valid solution for FAS.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to