On Mon, Jun 22, 2026 at 03:06:13PM +0100, Daniel P. Berrangé wrote: > On Thu, Jun 18, 2026 at 02:01:00PM -0700, Kevin Fenzi wrote: > > So, we can surely change the requirement to be MUST (and we probibly > > should), but there's a bunch of corner cases and things to note: > > snip > > > - We don't have any way that I know of to tell ipa that otp is required > > for specific groups. We can look and remove people who don't follow > > the policy however. In the case of provenpackagers we add them rarely > > these days, and it's almost always me that does it, so we could just > > check before adding new users. For packager it might be more difficult > > since sponsors may not have a way to check, but we could check after > > the fact via script or something. > > Could this be a reason for mandating 2FA for /all/ accounts rather > than selectively based on groups. > > I presume we would still need work though to put up an enforcement > flow upon login, to block further account use until 2FA is enabled. > ie allow access to accounts.fedoraproject.org preferences page, but > not grant access to any other service.
Sure, thats something we could do. I suspect it would really annoy a lot of people who only have fedora accounts to login to discussions/matrix/copr, etc. If we can't even decide to do it for packaging groups, expanding it to everything as a first cut seems unwise to me. > I don't suppose there's a low effort way to introduce a "recovery tokens" > feature for 2FA ? Not that I am aware of. kevin -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
