[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-community
Subject: Re: Gitlab update, 2FA now mandatory
From: Frederik Schwarzer <schwarzer () kde ! org>
Date: 2022-10-25 6:29:27
Message-ID: C9648577-3109-4484-9658-777BC3CFC622 () kde ! org
[Download RAW message or body]
Hi,
making assumptions or generalising a group of people will always "forget" about some \
people.
What about translators? Are they all as "techy" as you imagine all our devs are? \
(Spoiler: no they aren't) What about older contributors (like me)? Are they all as \
up-to-date with emerging technologies as you think they are? Maybe not.
I do have 2FA at work. It's a hardware token with a "put the number in this field" \
workflow. I did not have to set that up, I just use it. My bank uses a very special \
kind of 2FA which I just recently recognised as such. Meaning, I cannot use my bank's \
2FA technology for anything else so it feels like a different tech. Otherwise I did \
not yet have had the need for 2FA in my private life. I despise having accounts, so I \
do not use Paypal, Google, Amazon, Microsoft, Facebook or any other of the "common" \
accounts and do my online shopping as guest to not bother with login stuff there \
either.
So now for the KDE login I had to set up 2FA for the first time and it involved some \
confusion. I managed to set up KeePassXC with TOTP now but not without a close call \
in ruining my tax authority account credentials in the process becausecitvwas not \
clear to me at first that the Set up TOTP menu entry worked on one of the existing \
entries rather than enabling a separate way of adding accounts.
Speaking of taxes. In my country it's the last week for handing in tax reports, so I \
might have decided that my mind currently does not have enough free capacity to \
bother with keeping my KDE account working. The time span to handle this situation \
seems rather tight to me.
Anyway, while I see good reasoning behind the decision to use 2FA, I think it wasn't \
handled in a very good way. It would have been good to have more time for the change \
and also offer more support for people completely new to 2FA. Throwing in names of \
apps alone is not enough. Not everyone has time to spend an evening investigating \
those apps and then set one (or several) up just to realise it uses different \
terminology than gitlab (key vs secret key, pin vs password etc) which makes setting \
it up a fun little guessing game with quite some shrugging.
Please do not surprise a diverse group of people with different techy backgrounds, \
different age and different levels of smartness (meaning: eagerness to dig into new \
topics asap) with making something mandatory just because you and everyone you know \
are familiar with that particular tech anyway.
On a side not, I have decided to use this as an opportinity to set up 2FA for more of \
the few accounts I have and I also bought two Yubikeys to play around with those as \
well ... But I do not assume, everybody appreciates that kind of opportinities.
Cheers
Frederik
On 25 October 2022 05:39:32 CEST, Victoria Fierce <tdfischer@hackerbots.net> wrote:
> I would like to think that anyone who either knows /enough/ about KDE that they \
> want to contribute or has used basically any other internet service before coming \
> to KDE is already familiar with 2FA that it won't be a problem for them. Our users \
> are smart, our devs are also (often) smart, everyone involved is probably smarter \
> and more capable than we would imagine. If KDE contributions decline for any \
> reason, I don't think it would be for technical ones. My bank needs 2FA, my paypal \
> needs 2FA, my work needs lordt-knows-how-much 2FA, heck even when I'm using Matrix \
> I need to do some kind of 2FA-ish dance to verify the login and distribute crypto \
> keys.
> On Mon, Oct 24, 2022, at 9:19 AM, Christoph Cullmann (cullmann.io) wrote:
> > Hi,
> >
> > > > Could the 2FA stuff perhaps be limited to people with developer role
> > > > or
> > > > such?
> > >
> > > It is technically possible to only apply the mandatory 2FA rules to
> > > only certain groups as Developer accounts are simply membership in
> > > teams/kde-developers.
> > > See
> > > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group
> > > for the documentation on this.
> > >
> > > Given that we are using Invent for authenticating our various other
> > > services and the users of those aren't necessarily developers (while
> > > still having access to sensitive information) it seemed more prudent
> > > to enforce 2FA for everyone to ensure all our systems have a minimum
> > > baseline of industry best practice protection in place.
> > >
> > > This also avoids any issue when people are granted a developer account
> > > and suddenly find themselves subject to a new requirement.
> >
> > I think it is rather worse that now first time contributors have this
> > requirement.
> >
> > A lot of people already complain "why can I not just use my GitHub
> > account',
> > now they need to setup this in addition.
> >
> > And yes, beside for invent.kde.org, I never needed to use my Google Auth
> > App beside for some hosting.
> >
> > All other things I use that have 2FA use different methods that don't
> > need
> > any such app on my phone.
> >
> > Therefore that is more then just 2 clicks for a lot of people.
> >
> > Greetings
> > Christoph
> >
> > --
> > Ignorance is bliss...
> > https://cullmann.io | https://kate-editor.org
[Attachment #3 (text/html)]
<!DOCTYPE html><html><body>Hi,<br><br>making assumptions or generalising a group of \
people will always "forget" about some people.<br><br>What about translators? Are \
they all as "techy" as you imagine all our devs are? (Spoiler: no they \
aren't)<br>What about older contributors (like me)? Are they all as up-to-date with \
emerging technologies as you think they are? Maybe not.<br><br>I do have 2FA at work. \
It's a hardware token with a "put the number in this field" workflow. I did not have \
to set that up, I just use it.<br>My bank uses a very special kind of 2FA which I \
just recently recognised as such. Meaning, I cannot use my bank's 2FA technology for \
anything else so it feels like a different tech.<br>Otherwise I did not yet have had \
the need for 2FA in my private life. I despise having accounts, so I do not use \
Paypal, Google, Amazon, Microsoft, Facebook or any other of the "common" accounts and \
do my online shopping as guest to not bother with login stuff there either.<br><br>So \
now for the KDE login I had to set up 2FA for the first time and it involved some \
confusion. I managed to set up KeePassXC with TOTP now but not without a close call \
in ruining my tax authority account credentials in the process becausecitvwas not \
clear to me at first that the Set up TOTP menu entry worked on one of the existing \
entries rather than enabling a separate way of adding accounts.<br><br>Speaking of \
taxes. In my country it's the last week for handing in tax reports, so I might have \
decided that my mind currently does not have enough free capacity to bother with \
keeping my KDE account working. The time span to handle this situation seems rather \
tight to me.<br><br>Anyway, while I see good reasoning behind the decision to use \
2FA, I think it wasn't handled in a very good way. It would have been good to have \
more time for the change and also offer more support for people completely new to \
2FA. Throwing in names of apps alone is not enough. Not everyone has time to spend an \
evening investigating those apps and then set one (or several) up just to realise it \
uses different terminology than gitlab (key vs secret key, pin vs password etc) which \
makes setting it up a fun little guessing game with quite some \
shrugging.<br><br>Please do not surprise a diverse group of people with different \
techy backgrounds, different age and different levels of smartness (meaning: \
eagerness to dig into new topics asap) with making something mandatory just because \
you and everyone you know are familiar with that particular tech anyway.<br><br>On a \
side not, I have decided to use this as an opportinity to set up 2FA for more of the \
few accounts I have and I also bought two Yubikeys to play around with those as well \
... But I do not assume, everybody appreciates that kind of \
opportinities.<br><br>Cheers<br>Frederik<br><br><br><br>On 25 October 2022 05:39:32 \
CEST, Victoria Fierce <tdfischer@hackerbots.net> wrote:<br>>I would like to \
think that anyone who either knows /enough/ about KDE that they want to contribute or \
has used basically any other internet service before coming to KDE is already \
familiar with 2FA that it won't be a problem for them. Our users are smart, our devs \
are also (often) smart, everyone involved is probably smarter and more capable than \
we would imagine. If KDE contributions decline for any reason, I don't think it would \
be for technical ones. My bank needs 2FA, my paypal needs 2FA, my work needs \
lordt-knows-how-much 2FA, heck even when I'm using Matrix I need to do some kind of \
2FA-ish dance to verify the login and distribute crypto keys.<br>><br>>On Mon, \
Oct 24, 2022, at 9:19 AM, Christoph Cullmann (cullmann.io) wrote:<br>>> \
Hi,<br>>><br>>>>> Could the 2FA stuff perhaps be limited to people \
with developer role<br>>>>> or<br>>>>> such?<br>>>> \
<br>>>> It is technically possible to only apply the mandatory 2FA rules \
to<br>>>> only certain groups as Developer accounts are simply membership \
in<br>>>> teams/kde-developers.<br>>>> See<br>>>> <a \
href="https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-f \
or-all-users-in-a-group">https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group</a><br>>>> \
for the documentation on this.<br>>>> <br>>>> Given that we are \
using Invent for authenticating our various other<br>>>> services and the \
users of those aren't necessarily developers (while<br>>>> still having \
access to sensitive information) it seemed more prudent<br>>>> to enforce \
2FA for everyone to ensure all our systems have a minimum<br>>>> baseline of \
industry best practice protection in place.<br>>>> <br>>>> This \
also avoids any issue when people are granted a developer account<br>>>> and \
suddenly find themselves subject to a new requirement.<br>>><br>>> I \
think it is rather worse that now first time contributors have this <br>>> \
requirement.<br>>><br>>> A lot of people already complain "why can I not \
just use my GitHub <br>>> account',<br>>> now they need to setup this in \
addition.<br>>><br>>> And yes, beside for invent.kde.org, I never needed \
to use my Google Auth<br>>> App beside for some \
hosting.<br>>><br>>> All other things I use that have 2FA use different \
methods that don't <br>>> need<br>>> any such app on my \
phone.<br>>><br>>> Therefore that is more then just 2 clicks for a lot of \
people.<br>>><br>>> Greetings<br>>> \
Christoph<br>>><br>>> -- <br>>> Ignorance is bliss...<br>>> \
<a href="https://cullmann.io">https://cullmann.io</a> | <a \
href="https://kate-editor.org">https://kate-editor.org</a><br></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic