It was requested that we send some test messages to the new mail list, so here's one, with a purpose. Is there a way to enable two factor authentication for signing in to the mail list web site at https://lists.gtalug.org ? Ideally (for me) using a hardware security key, such as a YubiKey or Google Titan, or less ideally, using FIDO one-time code from the Google Authenticator app or equivalent, or even less ideally, from an e-mailed code. -- Scott
On Tue, 10 Jun 2025 at 22:14, Scott Allen <mlxxxp@gmail.com> wrote:
Ideally (for me) using a hardware security key, such as a YubiKey or Google Titan, or less ideally, using FIDO one-time code from the Google Authenticator app or equivalent
Correcting myself; FIDO is associated with hardware keys. Google Authenticator, etc., uses TOTP algorithms specified in RFC 6238. -- Scott
On Wed, 11 Jun 2025 06:56:16 -0400 Scott Allen via Talk <talk@lists.gtalug.org> wrote:
On Tue, 10 Jun 2025 at 22:14, Scott Allen <mlxxxp@gmail.com> wrote:
Ideally (for me) using a hardware security key, such as a YubiKey or Google Titan, or less ideally, using FIDO one-time code from the Google Authenticator app or equivalent
Correcting myself; FIDO is associated with hardware keys. Google Authenticator, etc., uses TOTP algorithms specified in RFC 6238.
2FA relies on second factor authentication, as such it depends entirely on security requirements. 2FA using TOTP where the 2FA is on the same device as the initial authentication provides the same amount of additional security as 2FA relying on email username & password for auth FIDO on the other hand provides external 2FA and is 'real' 2FA but is not 'free' or 'cheap' as real hardware & software for that hardware costs real money. When (or 'if') TOTP is on secondary device, or even if email code is to second device and second hosting provider that 2FA provides a real actual additional layer (in the onion) but sending 2FA to same device means as much as the security of that device itself.
Scott Allen via Talk wrote on 2025-06-10 19:14:
It was requested that we send some test messages to the new mail list, so here's one, with a purpose.
Thanks!
Is there a way to enable two factor authentication for signing in to the mail list web site athttps://lists.gtalug.org ?
I have no idea how to begin to accomplish this and there's no mention of it in the docs. While a mailing list isn't really a high value security target, it'd be interesting to explore. Any ideas how one would implement 2FA on a web site?
It doesn’t look like postorious (web frontend for GNU mailman) has any kind of MFA support, at least according to the deployment doc: https://asynchronous.in/docker-mailman/ and neither does Sympa - https://www.sympa.community/gpldoc/man/sympa_config.5.html Thus, I suspect this would have to be a feature request to the Postorious team, or some sort of reverse proxy that implements MFA or PassKey (passwordless) auth - functionally similar to x.509 cert based auth without all the x.509 overhead. Rouben On Wed, Jun 11, 2025 at 12:25 Ron via Talk <talk@lists.gtalug.org> wrote:
Scott Allen via Talk wrote on 2025-06-10 19:14:
It was requested that we send some test messages to the new mail list, so here's one, with a purpose.
Thanks!
Is there a way to enable two factor authentication for signing in to the mail list web site athttps://lists.gtalug.org ?
I have no idea how to begin to accomplish this and there's no mention of it in the docs.
While a mailing list isn't really a high value security target, it'd be interesting to explore.
Any ideas how one would implement 2FA on a web site?
------------------------------------ Description: GTALUG Talk Unsubscribe via Talk-unsubscribe@lists.gtalug.org Start a new thread: talk@lists.gtalug.org This message archived at https://lists.gtalug.org/archives/list/talk@lists.gtalug.org/message/34YH4RU...
On Wed, 11 Jun 2025 at 13:01, Rouben via Talk <talk@lists.gtalug.org> wrote:
Thus, I suspect this would have to be a feature request to the Postorious team
Postorious uses the Django web framework. It appears that there is code for 2FA available for Django, allowing TOTP, phone or text messages and Webauthn for hardware keys and passkeys. https://django-two-factor-auth.readthedocs.io/en/stable/ Therefore, it's possible that it wouldn't take too much effort to add 2FA capability to Postorious. -- Scott
participants (4)
-
ac -
Ron -
Rouben -
Scott Allen