Tuesday, 14 August 2018

Re: Requiring Launchpad 2FA from Ubuntu uploaders

On Tue, Aug 14, 2018 at 02:31:05PM +0100, Robie Basak wrote:
> Launchpad 2FA is currently opt-in for everyone. However, it has been
> mandatory for Canonical employees for a number of years now. Details are
> documented here:
> https://help.ubuntu.com/community/SSO/FAQs/2FA
> TOTP and HOTP are supported, so this works with hardware authenticators
> such as Yubikeys as well as smartphone apps like OTP Authenticator (from
> F-Droid) and Google Authenticator (Play Store), etc.
> We[1] think this is now easy enough and standard enough not to be a
> burden, so we are inclined to implement this as a requirement for all
> Ubuntu uploaders[2]. Any objections?

This isn't a hard objection, but one thing to consider is that we don't
have a terribly good recovery mechanism at the moment; indeed, this is
why 2FA in SSO still has a slightly complicated and explicit opt-in
procedure for most people.

For Canonical employees, we avoid this being a fatal problem because we
have ways to do out-of-band verification when (not if) people lose their
2FA tokens, since if nothing else their manager should be in regular
contact with them. Is that something we can expect to have for all
Ubuntu uploaders? I suppose we could manually exchange GPG-signed email
with them or something ...

Colin Watson [cjwatson@ubuntu.com]

ubuntu-devel mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel