Marius Schwarz venit, vidit, dixit 2026-06-19 11:28:19: > Am 19.06.26 um 09:50 schrieb Petr Pisar: > > OTP with a seed stored on the computer is still an OTP and it does not > > differ > > from a private SSH key stored on the computer. > > > > If the policy wants to deliver that OTP is stronger than an SSH key, then > > the > > policy should mandate the OTP seed to be stored off the computer (in legal > > speak: "off the device you access Fedora Project services from"). > > > > You are absolutly right about using at least two different devices for a > 2FA, as one device holding 2 factors or more, is just 1 factor of safety > in reality. > > If there is a problem, it will be the practical workflow, if the second > device is not a phone you have in reach anyway.
It's correct, and I completely agree with you/ That being said: When 2FA became mandatory for some banks (PSD/2), they declared not even that two factors on the same device would be OK, but also two factors provided by the same app "as long as the memory is separated". That does not make an incorrect solution correct. But sometimes perfect is the enemy of good, and maybe starting with "[somewhat] good [enough]" is the path to "better", if not perfection. Cheers Michael -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
