On Mon, Jun 22, 2026 at 04:32:20PM +0000, Gary Buhrmaster wrote: > On Mon, Jun 22, 2026 at 3:43 PM Daniel P. Berrangé <[email protected]> > wrote: > > > > > IMHO emailing admins is a process of last resort. You definitely need > > that to be possible, but you don't want users to have to use it as the > > primary process. > > > > When I talk of recovery tokens, I mean a system that is "self service" > > that does not create a burden / bottleneck on our admins long term. > > I think that is a great goal, but how often does the > need to recover a token actually happen?[0] Sure, > we only have a small number of people with 2FA > today, but the raw number of recovery incidents > should be helpful to know (and can be improperly > extrapolated to estimate the future load on > the admins).
So far this year there have been 15 requests. On Mon, Jun 22, 2026 at 04:52:23PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > > That is a good question. Let's say we have 10 reset requests per > year. Designing, implementing, and perfecting the system to do this > seems completely overkill. > > Also, going through releng might be good for security. Note that this goes via infrastructure, but sure... I think some kind of recovery codes would be nice, but that entire thing would need to be implemented. kevin -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
