On Thu, Jun 18, 2026 at 02:01:00PM -0700, Kevin Fenzi wrote: > So, we can surely change the requirement to be MUST (and we probibly > should), but there's a bunch of corner cases and things to note:
snip > - We don't have any way that I know of to tell ipa that otp is required > for specific groups. We can look and remove people who don't follow > the policy however. In the case of provenpackagers we add them rarely > these days, and it's almost always me that does it, so we could just > check before adding new users. For packager it might be more difficult > since sponsors may not have a way to check, but we could check after > the fact via script or something. Could this be a reason for mandating 2FA for /all/ accounts rather than selectively based on groups. I presume we would still need work though to put up an enforcement flow upon login, to block further account use until 2FA is enabled. ie allow access to accounts.fedoraproject.org preferences page, but not grant access to any other service. > - Indeed if you loose all access to all your otps, you currently have to > manually email us and do something to prove your are you in order for > us to clear them. This can be any of: gpg signed emails, ssh access, > external verify if we have access to it/trust it, etc. Whatever is > available and trustworthy. That said, I would urge everyone with an > otp enrolled to... enroll at least one backup one. If you have access > to ANY otp enrolled in your account you can remove the one you no > longer have access to, update things/login, etc. The recovery process > only needs to happen if you have lost access to every otp attached to > your account. I don't suppose there's a low effort way to introduce a "recovery tokens" feature for 2FA ? With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
