diff --git a/assets/main.scss b/assets/main.scss index af0895d..5f01b80 100644 --- a/assets/main.scss +++ b/assets/main.scss @@ -259,6 +259,12 @@ label { color: #721c24; border-color: #f5c6cb; } + + &.alert-info { + background: #d1ecf1; + color: #0c5460; + border-color: #bee5eb; + } } h3 { diff --git a/config.toml b/config.toml index 625d662..56f9d31 100644 --- a/config.toml +++ b/config.toml @@ -1,3 +1,6 @@ baseURL = "https://sourcehut.org/" title = "Sourcehut" pygmentsUseClasses = true + +[markup.goldmark.renderer] +unsafe= true diff --git a/content/blog/2020-03-04-When-you-lose-2FA.md b/content/blog/2020-03-04-When-you-lose-2FA.md new file mode 100644 index 0000000..dd65500 --- /dev/null +++ b/content/blog/2020-03-04-When-you-lose-2FA.md @@ -0,0 +1,58 @@ +--- +title: What do we do when you lose your 2FA codes? +date: 2020-03-04 +author: Drew DeVault +--- + +By far the most common sort of support request I receive from SourceHut users on +a day-to-day basis is from users who have lost access to their TOTP +([Time-based One-time Password algorithm][totp]) codes. Losing your phone, +getting a new one and forgetting to migrate the keys, or wiping it to install a +new OS are common reasons to accidentally lose access to your two-factor +authentication. + +[totp]: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm + +Naturally, we cannot just disable 2FA on your account, no questions asked. The +purpose of 2FA is to increase the level of scrutiny that's placed on attempts to +make authorized requests for your account. Therefore, we seek some alternative +method of authenticating that you are who you say you are. + +The easiest way is PGP: about 10% of sr.ht users have added a PGP key to their +account. If your support email is signed with the PGP key we have on file for +you, then we can assume it's you with no further questioning. If not, we can ask +you to send a follow-up email which is signed. Even more users have an SSH key +added to their account, about 30%. For them, I asked my friend minus to write a +small tool, [sshign](https://git.sr.ht/~minus/sshign), which can +cryptographically sign messages with your SSH key. + +