On Mon, Jun 22, 2026, at 11:43, Daniel P. Berrangé wrote: > On Mon, Jun 22, 2026 at 03:25:58PM +0000, Zbigniew Jędrzejewski-Szmek wrote: >> On Mon, Jun 22, 2026 at 03:06:13PM +0100, Daniel P. Berrangé wrote: >> > > - Indeed if you loose all access to all your otps, you currently have to >> > > manually email us and do something to prove your are you in order for >> > > us to clear them. This can be any of: gpg signed emails, ssh access, >> > > external verify if we have access to it/trust it, etc. Whatever is >> > > available and trustworthy. That said, I would urge everyone with an >> > > otp enrolled to... enroll at least one backup one. If you have access >> > > to ANY otp enrolled in your account you can remove the one you no >> > > longer have access to, update things/login, etc. The recovery process >> > > only needs to happen if you have lost access to every otp attached to >> > > your account. >> > >> > I don't suppose there's a low effort way to introduce a "recovery tokens" >> > feature for 2FA ? >> >> I think our "recovery token" stratgy is what Kevin wrote above, i.e. >> a second and third 2FA devices. > > IMHO emailing admins is a process of last resort. You definitely need > that to be possible, but you don't want users to have to use it as the > primary process. > > When I talk of recovery tokens, I mean a system that is "self service" > that does not create a burden / bottleneck on our admins long term. >
A problem in the past of making this self-service was that all of the methods which were 'easy' to implement were also 'easy' to game into a takeover without much work. Since we were putting this in place for `sysadmin-main` and possibly for `proven-packagers` this meant the easy self-service would allow for complete project compromise.. Trying to make it harder ended up with a larger amount of work no one had a remit to prioritize. Even a harder 'you can normally reset using your email.' for anyone outside of say an important group or two requires a lot of backend work which may still need to be done. I think the estimate was 1 to 2 years of time to get it in place if it were prioritized (taking into account the normal 'yeah I know its a priority, but X is broken and we need it for Y NOW.') However again, this is now years out of date and faint memories.. so I would take anything Kevin and others at a much higher 'reality'. -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
