26 Feb
2020
26 Feb
'20
3:48 p.m.
On Wed Feb 26, 2020 at 3:04 PM, wrote:
If 2FA gets switched on, it should either be optional, or there should be a strategy for account recovery (by previously set alt email e.g.). I've been definitely locked out of servers before because of OTP loss or even bugs in 2FA PAM - although that was quite a while ago.
OpenSSH's latest version also has support for FIDO/U2F. I haven't gotten the chance to use it yet, but it could be a pretty nice alternative to OTP. Second on OTP bugs/lock out. I've been locked out of my email provider because OTP randomly stopped accepting my tokens.