Closed nobugshere closed 1 day ago
The user should be able to choose whether to rely only on Yubikey, with no password, or whether to use 2 factor authentication, both a yubikey and a password. Even in the former case, the attacker needs both the key and the database.
I agree with all of that. My only question was: If the user enters a password, should we perform the strength check and warn if it is considered weak? The user could still choose to use it anyway.
I'm OK with that. Note that changing the strength check to something less trivial (e.g., zxcvbn) is on my todo list...
Related to the discussion in #1299
@ronys, If one does enter a PW with a Yubikey, do you think it should go through the same strength test(s), as for a PW only entry, and the user alerted if it doesn't pass? (Currently, that is not the case.) I think the main reason for using a PW with a Yubikey is in case someone steals your key. So, if you set one, it should be a good one. But, it is optional anyway, so I keep going back and forth on this :-)
This is in reference to the WX version; I haven't check the behavior of the Windows version.