Am 19.06.26 um 09:50 schrieb Petr Pisar:
OTP with a seed stored on the computer is still an OTP and it does not differ from a private SSH key stored on the computer.If the policy wants to deliver that OTP is stronger than an SSH key, then the policy should mandate the OTP seed to be stored off the computer (in legal speak: "off the device you access Fedora Project services from").
You are absolutly right about using at least two different devices for a 2FA, as one device holding 2 factors or more, is just 1 factor of safety in reality.
If there is a problem, it will be the practical workflow, if the second device is not a phone you have in reach anyway.
best regards, Marius Schwarz
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
