Comments (6)
Some feature requirements:
- no sms
- generate a scannable QR code for the terminal; also display the number for manual input
- require successful input of one code before enabling it
- generate 10 one-time-use recovery codes
- using a recovery code un-sets 2fa
I am fine with showing the recovery codes again on a web site, preferably after some kind of short-term privilege escalation action, like, say, entering a valid OTP.
from entropic.
What I'd like to gain from Entropic-supported 2FA is the ability to prompt users for a second factor when taking sensitive actions, like publishing a package, inviting/removing folks from namespaces, or inviting/removing maintainers from packages. GitHub 2FA protects the initial sign-up process (& subsequent website sign-ins to generate tokens) but not app-specific actions.
from entropic.
I guess FIDO2 would only make sense for a web-registry login scenario https://fidoalliance.org/fido2/
from entropic.
Counter point: Github supports 2FA already. Is there a way we could check whether or not a GitHub user uses 2FA so that we can utilize that, rather than potentially having 3FA?
from entropic.
I don't think there's a way to tell if a user has 2FA enabled through the API, unless they're a member or collaborator on your org :\
from entropic.
OTP and SSS (Shamirs Secret Sharing) are also great solutions, especially to prevent the storage of full tokens.
from entropic.
Related Issues (20)
- Discourse Misconfigured Cert - Firefox HOT 2
- Two `docs/rfcs` directories HOT 2
- Follow Free Desktop Standards for config file HOT 2
- Protocol support for packfiles
- Build federation on top of ActivityPub
- Building a compromise-resilient registry with TUF and in-toto
- Link from CONTRIBUTING to setup documentation is dead HOT 1
- Consider using package-url HOT 3
- Take a look sideways at composer from PHP?
- ORAS - cooperation
- Add opencollective to funding.yml
- Add `deprecated` and `publishTime` information to packuments
- Design package signing system
- Add Code of Conduct to repo HOT 1
- Revisit the design of legacy packages HOT 2
- Can't install ds; install.sh is a 404 page HOT 2
- Link to "set up the project" in contribution docs leads to a 404
- https://entropic.dev returns a server message HOT 1
- Is this project dead? Just curious. HOT 7
- Dead project HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from entropic.