On Mon, Jun 22, 2026, at 11:43, Daniel P. Berrangé wrote:
> On Mon, Jun 22, 2026 at 03:25:58PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
>> On Mon, Jun 22, 2026 at 03:06:13PM +0100, Daniel P. Berrangé wrote:
>> > > - Indeed if you loose all access to all your otps, you currently have to
>> > >   manually email us and do something to prove your are you in order for
>> > >   us to clear them. This can be any of: gpg signed emails, ssh access, 
>> > >   external verify if we have access to it/trust it, etc. Whatever is 
>> > >   available and trustworthy. That said, I would urge everyone with an 
>> > >   otp enrolled to... enroll at least one backup one. If you have access
>> > >   to ANY otp enrolled in your account you can remove the one you no
>> > >   longer have access to, update things/login, etc. The recovery process
>> > >   only needs to happen if you have lost access to every otp attached to 
>> > >   your account.
>> > 
>> > I don't suppose there's a low effort way to introduce a "recovery tokens"
>> > feature for 2FA ?
>> 
>> I think our "recovery token" stratgy is what Kevin wrote above, i.e.
>> a second and third 2FA devices.
>
> IMHO emailing admins is a process of last resort. You definitely need
> that to be possible, but you don't want users to have to use it as the
> primary process.
>
> When I talk of recovery tokens, I mean a system that is "self service"
> that does not create a burden / bottleneck on our admins long term.
>

A problem in the past of making this self-service was that all of the methods 
which were 'easy' to implement were also 'easy' to game into a takeover without 
much work. Since we were putting this in place for `sysadmin-main` and possibly 
for `proven-packagers` this meant the easy self-service would allow for 
complete project compromise.. Trying to make it harder ended up with a larger 
amount of work no one had a remit to prioritize. 

Even a harder 'you can normally reset using your email.' for anyone outside of 
say an important group or two requires a lot of backend work which may still 
need to be done. I think the estimate was 1 to 2 years of time to get it in 
place if it were prioritized (taking into account the normal 'yeah I know its a 
priority, but X is broken and we need it for Y NOW.') However again, this is 
now years out of date and faint memories.. so I would take anything Kevin and 
others at a much higher 'reality'.

-- 
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard battle. -- 
Ian MacClaren
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to