GustedJul 24, 2024

Oh no! a wild security feature for @forgejo has appeared that even Github doesn't have! https://codeberg.org/forgejo/forgejo/pulls/4662

#forgejo

[SEC] Add `totp_recovery_code` as SSH command

- When a person loses access to their TOTP (e.g. phone wiped) and didn't properly save their TOTP's scratch code they have to; they have to rely on the instance admins to authenticate with them that it is really their account, this can be a quite difficult and lengthy process to safely verify thi...

Codeberg.org
Show threadfeldJul 24, 2024
@Gusted @forgejo

> Something that has come up in these situations is that such people usually have a (verified) SSH key added to their account and could use that to prove they are the owner of the account, by the possession of such SSH key.

okay so what's the point of enforcing any TOTP if it's basically defeated by possessing a verified SSH key?
Show threadGusted
@feld @forgejo Having a verified SSH key is also a form of 2FA. For both occasions, you still need to know the password, so if your SSH key is leaked, it won't give anyone instant access to your account.
Jul 24, 2024 at 1:42pmWeb
Show threadfeldJul 24, 2024
@Gusted @forgejo My SSH keys can't leak, they're all on HSMs. And it shouldn't even be possible to make an SSH key that isn't password protected, but here we are in 2024 with people in charge of our security tools continuing to make terrible decisions