On 6/19/26 7:26 AM, Vitaly Zaitsev via devel wrote:
On 19/06/2026 09:50, Petr Pisar wrote:
If the policy wants to deliver that OTP is stronger than an SSH key,
then the
policy should mandate the OTP seed to be stored off the computer (in
legal
speak: "off the device you access Fedora Project services from").
When a service I rarely use requires a one-time password (OTP), I add it
using KeePassXC and store its secret key in the same database along with
the password. I use TOTP on a separate device only for my primary email
and a few important accounts.
Does this increase security? I don't think so.
Can we please stop repeating speculation about if requiring a second
factor does or does not increase security, or whether holding a second
factor on the same device as the first is a true second factor. Let's
not let perfect be the enemy of better.
Adam summed it up better than I could already[0]:
"2FA still defeats plenty of vectors in that scenario. Shoulder surfing
/ video capture, keyloggers, reused password compromised on some other
system - in all of those cases, the second factor triumphs, *even if
the user stores it in the very same place as the 'compromised'
password*. Because that place wasn't compromised."
0 -
https://lists.fedoraproject.org/archives/list/[email protected]/message/FOWEMKKRCK5NWZYHHUWIKOGSQBWVS356/
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new