[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

On Sun, Apr 26, 2020 at 12:31:42AM +0200, Gard Spreemann wrote:
> Bernd Zeimetz <bernd@bzed.de> writes:
> > Actually I think 2FA should be enforced for everybody.
> > Even debian.org related passwords might get lost.
> Right, but what's the threat model here? For some of us, losing the
> Salsa password is essentially only possible if we have had our PGP
> dongle or offline private key backup compromised.

Actually, there's a good reason I enable two-factor everywhere despite
using a password manager. Password auth submits the same secret over the
network on every login, whereas TOTP is based on a pre shared key, so an
attacker needs to intercept that initial sharing or phish the OTP.

It's probably a minor concern and over the top, but with the ease of use
of pass-otp in debian or andOTP in f-droid, why not? I think I've talked
myself out of suggesting requiring 2FA on Salsa, but if it's possible to
have it by default (opt-out vs opt-in) then that'd be great.

Attachment: signature.asc
Description: PGP signature

Reply to: