Marius Schwarz venit, vidit, dixit 2026-06-19 11:28:19:
> Am 19.06.26 um 09:50 schrieb Petr Pisar:
> > OTP with a seed stored on the computer is still an OTP and it does not 
> > differ
> > from a private SSH key stored on the computer.
> >
> > If the policy wants to deliver that OTP is stronger than an SSH key, then 
> > the
> > policy should mandate the OTP seed to be stored off the computer (in legal
> > speak: "off the device you access Fedora Project services from").
> >
> 
> You are absolutly right about using at least two different devices for a 
> 2FA, as one device holding 2 factors or more, is just 1 factor of safety 
> in reality.
> 
> If there is a problem, it will be the practical workflow, if the second 
> device is not a phone you have in reach anyway.

It's correct, and I completely agree with you/

That being said: When 2FA became mandatory for some banks (PSD/2), they
declared not even that two factors on the same device would be OK, but
also two factors provided by the same app "as long as the memory is
separated".

That does not make an incorrect solution correct. But sometimes perfect
is the enemy of good, and maybe starting with "[somewhat] good [enough]"
is the path to "better", if not perfection.

Cheers
Michael
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to