Re: Fwd: Your account has been deactivated
René J.V. Bertin posted on Mon, 24 Oct 2022 11:02:34 +0200 as excerpted: >> Forwarded message: >> Date: Monday October 24 2022 >> From: KDE Invent >> To: rjvber...@gmail.com Cc: >> Subject: Your account has been deactivated >> >> Hello René J.V. Bertin, >> >> Your account has been deactivated. You will not be able to: >> - Access Git repositories or the API. >> - Receive any notifications from GitLab. >> - Use slash commands. >> >> To reactivate your account, sign in to GitLab at >> https://invent.kde.org/. [insert rant about appropriate mailing-list and newsgroup etiquette quote (trimmed to reply context if necessary) with reply below it in the appropriate context, here. I went to the trouble of fixing it for this reply, but if pressed for time might simply skip the reply instead.] > This is probably not the most appropriate mailing list for the rant > below, but here goes: > > I can half understand that inactive accounts get deactivated, but on > logging in and reactivating my account I got a message that I was > required?! to enable 2-factor auth? > > What on earth is the point of that on an _open source_ git server, esp. > if you use your github credentials to log in?! "The rest of the story" (tho of necessity incomplete at this point) appears on the kde-core list, which being open (for reading at least, not sure about posting) I'm subscribed to (as a newsgroup, via gmane.io, as I am to this list/group). Because I deal with it as a newsgroup I don't have a direct link to the thread to post, but I imagine it can be found in the kde list web archives if you're interested. The thread is "Gitlab update, 2FA now mandatory", with the original post by Ben Cooksley (AFAIK the primary kde sysadmin, or perhaps the one tasked with handling mailing-list messaging as he's the one I see posting all the time), with a date header of Sun, 23 Oct 2022 19:32:23 +1300 (which if I didn't reverse the polarity makes it 6:32:23 UTC, FWIW it's showing as late Saturday for me), and it's cross-posted to the kde-core, kde-devel, and kde-community lists/groups (with replies set to community if I'm reading the headers correctly and they've not been too mangled by the conversion to news-post). Seems the kde sysadmins detected some sort of suspect attempted breakin, the details of which they're not releasing ATM as it's an ongoing attack, and they activated mandatory 2FA for all developer accounts (not just inactive ones) to help tighten up defenses a bit. The thread there doesn't mention deactivating inactive accounts tho it makes sense they'd do that too, but it DOES say ALL developer accounts must activate 2FA now. That explains the short 2-day grace-period timeframe as well, still operating and with a short grace period as they detected stronger attacks but not a full compromise, but in the interest of /keeping/ it not compromised it's a much shorter grace period than the typical 30-90 day that might be expected were it an entirely planned migration instead of a somewhat forced response to an ongoing but so far apparently unsuccessful attack. > I hate 2FA as it incites too much to remain logged in (and to be married > to a mobile if not recent enough smartphone). Given the alternative of shutting down all access for the moment, and the fact that the reality is they'd likely have to move to it eventually, I'll take the 2FA and be glad for the 48 hours grace period, which could have been 0! Meanwhile, as others have posted both here and to the -core/-dev thread, there are various open source solutions available for desktop as well as the usual not-necessarily-open mobile options, and only a single device (which can be a desktop/laptop as well as a mobile) is required (second devices are generally recommended, but only required as lockout-prevention if you're worried about losing access through the original device). And apparently the various corporate including github's (and google's and MS's, maybe facebooks?) 2FA systems can be used as well, according to one post to the other thread. Tho FWIW there's one active developer complaining rather actively/loudly in the mentioned thread as well, but it's only one, and the situation being what it is, I don't expect it to change much. Tho I do expect a bit more about the attach to be made public once this is over, as is only appropriate given the open norms of the community, but believe that would happen regardless. And I expect once the immediate situation is taken care of, something a bit friendlier for newbies will be put in place as well, tho I expect the 2FA as such to remain. Maybe something like my bank does, with a one- time-pass code that can be either texted or automated-voice-called (my choice as I have no cellphone and my VoIP phone doesn't do texting only voice) as appropriate. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the progr
Re: Fwd: Your account has been deactivated
while you can use a totp app (There's a bunch out there, and various open source options), most competent password managers can also to TOTP, like keepassxc does natively, so does bitwarden, keepass2 with a plugin, and if you really want to go roll-your-own and have something that's truly platform agnostic, you can use this project[1] to have a web page you pop the seed into and it'll spit out a number for you, with nothing saved serverside [1]https://github.com/jaden/totp-generator Been using this project for testing various totp implementations for a project the past couple of months without having to build my own full-end auth system :) On Mon, 24 Oct 2022 at 14:16, René J.V. Bertin wrote: > On Monday October 24 2022 13:44:43 Nekobit wrote: > > >I'm in a bit of a crunch to setup a proper client on my > >mobile device right now. > > Do I have to understand this requires an additional app and thus a > smartphone?! Why not impose one from whichever phonemaker is the largest > KDE sponsor, while you're at it (and I'm guessing that won't be Apple)? > > Also, does this mean you need to jump through additional hoops nowadays to > fetch from and/or commit to KDE repos (and I mean in a CLI of course)?! > > Having to do 2FA on a single device always makes me want to hurl at the > sky... > > R >
Re: Fwd: Your account has been deactivated
What bothers me a bit about this whole thing is that I get deactivating inactive Accounts, say maybe a couple years inactive, but it would have been nice for the deactivation email to spell out that it's being done to force 2FA for dormant accounts, as for all apparently this is why that's being done. I don't recall seeing any email indicating that accounts on Gitlab would be requiring 2FA, although I could've missed that. On Mon, Oct 24, 2022, 12:45 PM Nekobit wrote: > On Mon, 2022-10-24 at 15:37 +0100, Paul Dann wrote: > > On Mon, 24 Oct 2022 at 11:16, Norbert Zawodsky > > wrote: > > > Am 24.10.22 11:02 schrieb René J.V. Bertin: > > > > > > > I hate 2FA as it incites too much to remain logged in (and to be > > > > married to a mobile if not recent enough smartphone). > > > > > > > > The same thing just happened to me. I use KeePassXC already, which > > has OTP support. It's pretty much 3 clicks to add a 2FA token, and > > it's a desktop app. I happen to sync it with the mobile app via > > NextCloud, but it's certainly not required. > > > > 2FA really is not hard to set up, and significantly reduces identity > > theft. I get that it's not convenient for everyone, but it's a 10min > > up-front investment to get something like KeePassXC set up to handle > > all this simply. > > > > Paul > > It's not just about setting it up, I only got 2 days warning about > this, and I'm in a bit of a crunch to setup a proper client on my > mobile device right now. I also can't find a thing for OTP in > KeepassXC, and I keep 2 copies of my clients in an ugly manner between > my desktop and laptop so I'd rather do mobile, but there may be times > where my mobile device _breaks_ or something, so I don't always like > storing such things on mobile... > > I don't really think the execution of this was done well. I am > confident enough with a pretty secure password generated with > KeepassXC, to not think I need 2FA this instant. >
Re: Fwd: Your account has been deactivated
On Monday October 24 2022 13:44:43 Nekobit wrote: >I'm in a bit of a crunch to setup a proper client on my >mobile device right now. Do I have to understand this requires an additional app and thus a smartphone?! Why not impose one from whichever phonemaker is the largest KDE sponsor, while you're at it (and I'm guessing that won't be Apple)? Also, does this mean you need to jump through additional hoops nowadays to fetch from and/or commit to KDE repos (and I mean in a CLI of course)?! Having to do 2FA on a single device always makes me want to hurl at the sky... R
Re: Fwd: Your account has been deactivated
I'm unsure about older versions, but for KeepassXC 2.7.x: To setup OTP in KeepassXC, find the entry you want to associate with the OTP or create a new entry. Then, right click the entry, go to the TOTP submenu, and select Setup TOTP or go to Entries -> TOTP -> Setup TOTP. You will be prompted to enter the seed for your 2fa. Then, to get the 2fa code, either select the entry and go to Entries -> TOTP or Righclick -> TOTP, and either Copy TOTP to copy the current code, or Show TOTP, to display the code and show you how long until it times out. On Mon, 24 Oct 2022 at 13:45, Nekobit wrote: > On Mon, 2022-10-24 at 15:37 +0100, Paul Dann wrote: > > On Mon, 24 Oct 2022 at 11:16, Norbert Zawodsky > > wrote: > > > Am 24.10.22 11:02 schrieb René J.V. Bertin: > > > > > > > I hate 2FA as it incites too much to remain logged in (and to be > > > > married to a mobile if not recent enough smartphone). > > > > > > > > The same thing just happened to me. I use KeePassXC already, which > > has OTP support. It's pretty much 3 clicks to add a 2FA token, and > > it's a desktop app. I happen to sync it with the mobile app via > > NextCloud, but it's certainly not required. > > > > 2FA really is not hard to set up, and significantly reduces identity > > theft. I get that it's not convenient for everyone, but it's a 10min > > up-front investment to get something like KeePassXC set up to handle > > all this simply. > > > > Paul > > It's not just about setting it up, I only got 2 days warning about > this, and I'm in a bit of a crunch to setup a proper client on my > mobile device right now. I also can't find a thing for OTP in > KeepassXC, and I keep 2 copies of my clients in an ugly manner between > my desktop and laptop so I'd rather do mobile, but there may be times > where my mobile device _breaks_ or something, so I don't always like > storing such things on mobile... > > I don't really think the execution of this was done well. I am > confident enough with a pretty secure password generated with > KeepassXC, to not think I need 2FA this instant. >
Re: Fwd: Your account has been deactivated
On Mon, 2022-10-24 at 15:37 +0100, Paul Dann wrote: > On Mon, 24 Oct 2022 at 11:16, Norbert Zawodsky > wrote: > > Am 24.10.22 11:02 schrieb René J.V. Bertin: > > > > > I hate 2FA as it incites too much to remain logged in (and to be > > > married to a mobile if not recent enough smartphone). > > > > > The same thing just happened to me. I use KeePassXC already, which > has OTP support. It's pretty much 3 clicks to add a 2FA token, and > it's a desktop app. I happen to sync it with the mobile app via > NextCloud, but it's certainly not required. > > 2FA really is not hard to set up, and significantly reduces identity > theft. I get that it's not convenient for everyone, but it's a 10min > up-front investment to get something like KeePassXC set up to handle > all this simply. > > Paul It's not just about setting it up, I only got 2 days warning about this, and I'm in a bit of a crunch to setup a proper client on my mobile device right now. I also can't find a thing for OTP in KeepassXC, and I keep 2 copies of my clients in an ugly manner between my desktop and laptop so I'd rather do mobile, but there may be times where my mobile device _breaks_ or something, so I don't always like storing such things on mobile... I don't really think the execution of this was done well. I am confident enough with a pretty secure password generated with KeepassXC, to not think I need 2FA this instant.
Re: Fwd: Your account has been deactivated
On Monday October 24 2022 15:37:24 Paul Dann wrote: >2FA really is not hard to set up, and significantly reduces identity theft. The question is not how hard it is to set up or not but rather why anyone would bother to hack the account of a random KDE contributor. When you know you're fooling yourself in thinking this "minor inconvenience" will stop anyone who really does want to do that. If there's somehow a true risk of your identity being stolen via gitlab than 1) I have more reason to dislike the platform and 2) maybe I regret not having done my contributions under an "artist's name" ... R.
Fwd: Your account has been deactivated
On Mon, 24 Oct 2022 at 11:16, Norbert Zawodsky wrote: > Am 24.10.22 11:02 schrieb René J.V. Bertin: > > I hate 2FA as it incites too much to remain logged in (and to be married to a > mobile if not recent enough smartphone). > > > The same thing just happened to me. I use KeePassXC already, which has OTP support. It's pretty much 3 clicks to add a 2FA token, and it's a desktop app. I happen to sync it with the mobile app via NextCloud, but it's certainly not required. 2FA really is not hard to set up, and significantly reduces identity theft. I get that it's not convenient for everyone, but it's a 10min up-front investment to get something like KeePassXC set up to handle all this simply. Paul
Re: Fwd: Your account has been deactivated
Am 24.10.22 11:02 schrieb René J.V. Bertin: I hate 2FA as it incites too much to remain logged in (and to be married to a mobile if not recent enough smartphone). +1 !
Fwd: Your account has been deactivated
Hi, This is probably not the most appropriate mailing list for the rant below, but here goes: I can half understand that inactive accounts get deactivated, but on logging in and reactivating my account I got a message that I was required?! to enable 2-factor auth? What on earth is the point of that on an _open source_ git server, esp. if you use your github credentials to log in?! It's not like there are secret parts to the code or that contributors are vetted to an extent that "we" need to be extra certain it's indeed them who are logging in. I hate 2FA as it incites too much to remain logged in (and to be married to a mobile if not recent enough smartphone). R. --- Forwarded message: Date: Monday October 24 2022 From: KDE Invent To: rjvber...@gmail.com Cc: Subject: Your account has been deactivated Hello René J.V. Bertin, Your account has been deactivated. You will not be able to: - Access Git repositories or the API. - Receive any notifications from GitLab. - Use slash commands. To reactivate your account, sign in to GitLab at https://invent.kde.org/. Please contact your GitLab administrator if you think this is an error. -- You're receiving this email because of your account on invent.kde.org.