14 votes

GitHub will require two-factor authentication (2FA) for all users who contribute code by the end of 2023

12 comments

  1. [4]
    skybrian
    Link
    I recommend checking out GitHub's authentication settings, which are better than average. You can authenticate in a lot of ways. To avoid lockout I recommend setting up multiple ways to get in,...

    I recommend checking out GitHub's authentication settings, which are better than average. You can authenticate in a lot of ways.

    To avoid lockout I recommend setting up multiple ways to get in, including printing out paper codes and keeping them with your important papers, a phone authentication app, and a Yubikey if you're willing to buy one. If there's one method you don't like (for example, I don't trust text messaging for authentication), there are others.

    With that set up, I'm fairly comfortable using GitHub as a way to log into other websites when that's possible.

    You'd think that financial firms would have similar offerings, but I haven't seen one that's as good.

    7 votes
    1. [3]
      Greg
      Link Parent
      Ugh, I have no idea why but my broad experience with financial institutions is that they’ve tried to reinvent the wheel and come off with worse than basic industry standard security as a result....

      You'd think that financial firms would have similar offerings, but I haven't seen one that's as good.

      Ugh, I have no idea why but my broad experience with financial institutions is that they’ve tried to reinvent the wheel and come off with worse than basic industry standard security as a result. My mortgage lender asks for only certain characters from the password, meaning it’s stored in plaintext, for example, and has no second factor of any kind. None of the banks I use support TOTP or U2F/FIDO2. Many add inconvenient hoops to jump through that fall somewhere between “no better than TOTP” and “actively dangerous”. It’s incredibly frustrating when they have more than enough resources to do it right, and security is one of their primary reasons for existing.

      3 votes
      1. [2]
        vord
        Link Parent
        If it's any consolation, it could just be because they couldn't figure out how to escape characters or sanitize the input to do so. Better, but not by much I suppose. Nah. It's because it's easy...

        My mortgage lender asks for only certain characters from the password, meaning it’s stored in plaintext

        If it's any consolation, it could just be because they couldn't figure out how to escape characters or sanitize the input to do so. Better, but not by much I suppose.

        security is one of their primary reasons for existing.

        Nah. It's because it's easy money. If it wasn't, they'd probably be all about having the post office doing the banking.

        1 vote
        1. Greg
          Link Parent
          Oh, no, unfortunately not - I meant "Input characters 2, 3, and 7 from your password".

          If it's any consolation, it could just be because they couldn't figure out how to escape characters or sanitize the input to do so.

          Oh, no, unfortunately not - I meant "Input characters 2, 3, and 7 from your password".

          4 votes
  2. Ember
    Link
    Seems good, as long as it's not SMS 2FA. Any developer who isn't aware of 2FA will get introduced to it and hopefully learn why it's important; for the rest, this won't be an issue at all.

    Seems good, as long as it's not SMS 2FA. Any developer who isn't aware of 2FA will get introduced to it and hopefully learn why it's important; for the rest, this won't be an issue at all.

    4 votes
  3. [5]
    Wes
    Link
    Uh oh. I don't own a cellphone so two-factor is a prohibitive requirement for me. I hope they allow email verification instead, similar to Valve's "Steam Guard" service.

    Uh oh. I don't own a cellphone so two-factor is a prohibitive requirement for me. I hope they allow email verification instead, similar to Valve's "Steam Guard" service.

    3 votes
    1. Crestwave
      Link Parent
      GitHub supports 2FA via TOTP; presumably it should suffice for this requirement.

      GitHub supports 2FA via TOTP; presumably it should suffice for this requirement.

      6 votes
    2. [2]
      DrStone
      Link Parent
      Some password managers, like 1Password, can manage TOTP 2FA codes and are available on desktop.

      Some password managers, like 1Password, can manage TOTP 2FA codes and are available on desktop.

      4 votes
      1. Wes
        Link Parent
        That sounds useful, though I'm not entirely sure what it means. I use KeePass to manage passwords. Until now I thought two-factor was always a phone thing, but if I can do it on the desktop, that...

        That sounds useful, though I'm not entirely sure what it means. I use KeePass to manage passwords. Until now I thought two-factor was always a phone thing, but if I can do it on the desktop, that seems much better.

        I'll do some googling so you don't need to explain information that is probably already available online. Cheers.

        3 votes
  4. [2]
    vord
    Link
    Can we get some perks from the forced 2FA being rolled out (not just on Github mind)? Like not tracking all my devices and making me register each one? I'd be more happy if all 2FA was something...

    Can we get some perks from the forced 2FA being rolled out (not just on Github mind)?

    Like not tracking all my devices and making me register each one?

    I'd be more happy if all 2FA was something like TOTP, but that rarely is the case and more often results in further mandatory smartphone dependance.

    1 vote
    1. teaearlgraycold
      Link Parent
      The worst is Sendgrid where you need to use Authy. You can use any TOTP app but only if you hack the desktop Authy electron app and extract the secret key.

      The worst is Sendgrid where you need to use Authy. You can use any TOTP app but only if you hack the desktop Authy electron app and extract the secret key.

      5 votes