On 6/19/26 7:26 AM, Vitaly Zaitsev via devel wrote:
On 19/06/2026 09:50, Petr Pisar wrote:
If the policy wants to deliver that OTP is stronger than an SSH key, then the policy should mandate the OTP seed to be stored off the computer (in legal
speak: "off the device you access Fedora Project services from").

When a service I rarely use requires a one-time password (OTP), I add it using KeePassXC and store its secret key in the same database along with the password. I use TOTP on a separate device only for my primary email and a few important accounts.

Does this increase security? I don't think so.


Can we please stop repeating speculation about if requiring a second factor does or does not increase security, or whether holding a second factor on the same device as the first is a true second factor. Let's not let perfect be the enemy of better.

Adam summed it up better than I could already[0]:

"2FA still defeats plenty of vectors in that scenario. Shoulder surfing
/ video capture, keyloggers, reused password compromised on some other
system - in all of those cases, the second factor triumphs, *even if
the user stores it in the very same place as the 'compromised'
password*. Because that place wasn't compromised."

0 - https://lists.fedoraproject.org/archives/list/[email protected]/message/FOWEMKKRCK5NWZYHHUWIKOGSQBWVS356/
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to