On Wed, 2026-07-01 at 07:52 -0400, Neal Gompa wrote: > I am not wrong. Having MFA support is not the same thing as supporting > low-touch MFA workflows. Zero-touch MFA reset has been a requested > feature ever since we started talking about MFA for packagers. We > don't have it. Instead, we have to contact an admin to reset it. No > self-service recovery code based mechanism, or email verification > mechanism, or anything of the sort. These are all things that are part > of table-stakes for account systems like ours, and we don't have it. > > This is a genuine hardship, and we know that it's something that takes > actual time from people since ~15 resets have been done in the past > six months alone. Self-service resets are, from my point of view, the > only major blocker to considering mandatory MFA.
It's not FreeIPA's job to support this, in the Fedora system. We intentionally *do not* expose FreeIPA itself directly to Fedora users; that's our own design choice. User interaction is via FAS, i.e. Noggin, which is...a thing we built, exactly what you advocated. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] https://www.happyassassin.net -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
