There is already an extension to make this work: https://github.com/thoughtpolice/libphutil-yubikey
Seems like a good idea. @csteipp and SRE might like to see this happen?
Description
Description
Event Timeline
Comment Actions
This would add Yubi OTP to phabricator as a second factor (from skimming the code, if I'm missing something else, let me know).
There isn't much advantage to their OTP method, which validates against the secret stored in YubiCloud over OATH, which we currently support. And in fact, your yubikey can be configured to produce an OATH OTP that's compatible with the current setup.
The disadvantages are that your secret is stored in the yubicloud (very low threat, but still..), and it's proprietary. I'll make the assumption we can't provision yubikeys to all Phab users, so we would have to keep our current OATH based MFA enable, so it's duplicating functionality but increasing our attack surface.
So I can't see a strong advantage to enable it, and several issues that concern me about it. If there's a strong use case for it, let's keep discussing. But let's not just enable it because we can.
Comment Actions
@csteipp: Thanks! I'm not attached to the idea, I just saw it and I thought it might be useful.