Adam Williamson wrote:
Do we require 2FA for provenpackager yet?
No. I am a provenpackager and do not have 2FA enabled (nor do I want it to
be).
People would say, justifiably so, that it was absolutely unacceptable
for
us to be allowing single-factor authentication for contributors to a
general-purpose operating system in 2024. It is.
This is nonsense propaganda. Most 2FA implementations cannot even guarantee
that the second factor is not stored right next to the first factor. Open
standards that do not depend on commercial hardware or telecommunication
operators, such as TOTP, cannot guarantee it by design. Any 2FA app that
works on my PinePhone is also going to work directly on my computer, so you
have no way to enforce that I use a different device for the second factor.
2FA is pointless security theater that just makes it a pain to contribute,
when we are all this time talking about lowering, not rising, the barrier to
entry.
Kevin Kofler