Many organizations are moving to 2FA/MFA
Many organizations are moving to 2FA/MFA
Posted Jul 14, 2022 9:37 UTC (Thu) by roc (subscriber, #30627)In reply to: Many organizations are moving to 2FA/MFA by david.a.wheeler
Parent article: "Critical" projects and volunteer maintainers
Posted Jul 14, 2022 11:34 UTC (Thu)
by hmh (subscriber, #3838)
[Link] (2 responses)
2FA apps running in a (hopefully separate) device are almost always accepted as well, at least for the forges.
So, your typical floss developer, even in areas where hardware tokens are either expensive or hard to acquire, can trivially get past that bar.
There really isn't any excuse for not mandating 2FA other than credential recovery procedures, as long as it is an interoperable one that is not going to cause any sort of vendor lock-in.
The recovery procedures are a indeed a concern, though.
Posted Jul 14, 2022 15:15 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
TOTP can be phished, it's maybe going to be a bit harder to phish the sort of person who writes a Python package than my mother, but on the other hand it's probably a spear phishing exercise and so the attacker is putting real work in not just spewing out a million bogus emails claiming to be from FedEx or whoever. This is why FIDO is so important that it's worth spending money (not very much money in the larger scheme of things, but spending money is annoyingly difficult in the sort of organisations that have money) to give people FIDO authenticators rather than just point them at TOTP. The "cheapest" viable attacks on FIDO appear to be: Persuade the user to give you their physical token e.g. call them and insist it needs replacing, send a "courier" to pick it up (this sounds like a good way to get arrested, Police may not understand Internet crimes, but they have seen this trick done with credit cards for decades). Persuade the user to install malware which can request suitable login credentials and send them to you, and then persuade the user to physically authorise that authentication. Both ideas are something you could imagine a state actor pulling off but aren't very practical for small time crooks, bored teenagers and suchlike real world attackers.
The difficult-to-acquire thing is probably given a misleading impression by the fact these tend to be US projects. Americans have a much easier time sending physical objects to a handful of countries and those are listed. But I assure you that a hacker living in Moscow right now, regardless of how they feel about their country's invasion of Ukraine, can get themselves a FIDO authenticator if they want one for example.
Posted Jul 14, 2022 19:34 UTC (Thu)
by roc (subscriber, #30627)
[Link]
Posted Jul 15, 2022 19:21 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
Is that something that you can set on your account or is it more that you only use `sk-` SSH keys?
If it is via token-anchored keys, how do you manage backup keys (I haveā¦a few)? Do you just have N SSH keys registered or is there a way to make N keys unlock a single SSH keypair? (I really want to avoid "add new token's key" to every service if/when I get new ones because I prefer to manage a keypair per service as well and making that an NxM matrix soundsā¦horrendous[1].) I'm also worried about exhausting the key storage on the token (IIRC, an older method used up "slots" on the key, but docs about `sk-` keys don't mention hardware limits).
[1] You also end up with a O(n) configuration with `IdentitiesOnly` and leaks how many backups there are directly in the configuration.
Posted Jul 17, 2022 3:30 UTC (Sun)
by alison (subscriber, #63752)
[Link]
Many organizations are moving to 2FA/MFA
Many organizations are moving to 2FA/MFA
Many organizations are moving to 2FA/MFA
Many organizations are moving to 2FA/MFA
Many organizations are moving to 2FA/MFA