I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn’t password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

  • RovingFox@infosec.pub
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    More secure. If my phone is stolen, they have full acces to my mailbox but they will look long and hard at my passworded 2FA app.

    • macniel@feddit.deOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?

      • RovingFox@infosec.pub
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        1 year ago

        If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don’t know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.

        You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.

  • suprjami@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Use an open source 2FA which lets you export

    You can store your recovery codes as files in KeepassXC

  • ono@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    It is annoying, especially for those of us who are diligent about our existing factors and unlikely to be compromised, but the sad reality is that most people aren’t that diligent and supply chain attacks are a serious problem that needs addressing.

    For your own projects, it might be worth considering a move away from GitHub. (I’ve been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.

    For participating on existing projects, I suppose the silver lining is that they chose standard TOTP, instead of some awful proprietary system. I can use whatever open-source code generator I like.

    • macniel@feddit.deOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I’ve already moved most of my projects off github to my own vhost, only some current active websites I have hosted there.

  • EddyBot@feddit.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    It’s 2023, we are almost already at Passkeys and you skipped TOTP (basically that “Google Authenticator” does) as 2FA?
    anyway there are a lot of open source TOTP apps available to choose from like Aegis or if you want to sync it something like Bitwarden (Premium or Vaultwarden)
    desktop apps also exist but that would defeat the point probably

    stay away from proprietary apps and do backups of these TOTP secrets or you’ll absolute will lock you out if you loose your phone somehow

    • macniel@feddit.deOP
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I have some TOTPs for other accounts but used googles authenticator app for that as it wasn’t important to me.

      Thank you very much for the Aegis recommendation, the transfer was easy and quick as well.

      And yeah using a desktop app would remove the “What I have” factor :)