On Wed, 2026-07-01 at 07:52 -0400, Neal Gompa wrote:
> I am not wrong. Having MFA support is not the same thing as supporting
> low-touch MFA workflows. Zero-touch MFA reset has been a requested
> feature ever since we started talking about MFA for packagers. We
> don't have it. Instead, we have to contact an admin to reset it. No
> self-service recovery code based mechanism, or email verification
> mechanism, or anything of the sort. These are all things that are part
> of table-stakes for account systems like ours, and we don't have it.
> 
> This is a genuine hardship, and we know that it's something that takes
> actual time from people since ~15 resets have been done in the past
> six months alone. Self-service resets are, from my point of view, the
> only major blocker to considering mandatory MFA.

It's not FreeIPA's job to support this, in the Fedora system. We
intentionally *do not* expose FreeIPA itself directly to Fedora users;
that's our own design choice. User interaction is via FAS, i.e. Noggin,
which is...a thing we built, exactly what you advocated.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected]
https://www.happyassassin.net



-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to