GitHub will disable non-2FA accounts?
I just got a big splash in my profile page:
GitHub users are now required to enable two-factor authentication as an additional security measure. Your activity on GitHub includes you in this requirement. You will need to enable two-factor authentication on your account before September 28, 2023, or be restricted from account actions.
56 comments
[ 0.33 ms ] story [ 137 ms ] threadYou know, as part of their embrace, engulf, and extinguish strategy.
Pretty sure I remember someone on here a few months ago trying to get GitHub 2FA set up, but as they have no (smart) phone there didn't seem to be any way of making it happen.
Seriously though, if using a TOTP generator or physical security key is a "burden" for someone, I really doubt they're the target audience for GitHub.
The benefits of 2FA are well known, and even if you have to enter the code manually (ie no browser integration) it's still arguably several orders of magnitude simpler in concept than most git operations.
Also phones don’t seem to think it’s important to backup 2FA secrets so when you move devices you’re out of luck.
Why doesn't your organisation have at least two people with the Owner role?
> Also phones don’t seem to think it’s important to backup 2FA secrets
I've been using a TOTP app with backup functionality since at least 2014, so its not exactly a new concept. If you choose not to avail yourself of one, that's on you.
It's simple, just never make any mistakes.
> I've been using a TOTP app with backup functionality since at least 2014, so its not exactly a new concept. If you choose not to avail yourself of one, that's on you.
You're right! how dare they not know everything that you know.... it's insane that someone might not do everything exactly the way you think it should be done!
I get that's not what you're trying to say, but all you're doing is blaming humans for ignorance, or making mistakes. I'd assert, that given you clearly understand both security, and best practices, you'd be better equipped to help offer solutions instead of accusations, or blame.
I really do have to wonder about the people who realised it's a problem to have no easy to use backup, but then apparently spent exactly zero minutes to try and find a solution.
So? It's not like shitty Samsung refrigerators is the only one model available.
I really do have to wonder about people who choose refrigerators using R407c refrigerant where temperature glide causes compressor valves to wear out prematurely. People apparently spent exactly zero minutes to try and find a solution.
You clearly didn't understand the point I'm making so let me be more explicit: I don't expect people to know everything. As you allude to, it's impossible to know everything.
What I do expect, is for people to learn and try to resolve problems they face, rather than just sticking their head in the sand and pretending there's nothing they can do.
A more accurate analogy using your fridge example would be:
Johnny buys a POS Samsung fridge.
Unknown to Johnny, Samsung fridges use R407c refrigerant which causes the compressor valves to wear out prematurely. The compressor on his fridge needs to be replaced after just 3 years of use.
Rather than asking others for advice on the issue, Johnny now tells anyone that will listen, that all fridges will all need their compressor replaced after 3 years.
That's what's happening in this thread: zero requests for information or help about the issue; multiple posts claiming things that are factually incorrect, with absolute confidence.
What "organization" only has one person with access to the repositories?
These hypotheticals become goofier with each iteration
Many small organisations may only have one person with an Owner account for the very reason that they don’t _need_ to have multiple people with access to that account as you share out access to repositories to team members that have less privileged accounts.
It is much “goofier” to assume that every organisation using Github has two people that have been granted an “Owner” level account.
Once you pass from single user to "organization", multiple "ownership" is du jour
Maybe there are some out there - but they're stupid, if they are
Say I run a FOSS project and leave my 2fa at home when I leave for some vacation? And in that same time I get a report about a security bug. If I cant login to fix or even remove a binary. My users will be at risk! you'd better hope it's a short vacation.
Also, as an existing user of 2fa on GH, GH's implemention can get fucked! It auto submits 2fa otps for you. I've been locked out of my account for HOURS, multiple times because I'll fat finger one extra key, or the wrong number without realizing it, only to have GH "helpfully" submit the wrong number, i wouldn't have, as the last chance before a lockout timer.
> what's the problem here
It's not anyone else responsibility to make security decisions for me. And if I wont play along with GH 2fa security rules, GH doesn't gain any security benefit themselves. Which means this new requirement can *only* make things worse. That's the problem. Also, I assume you didn't mean this comment to sound so dismissive, but that's definitely how it reads. Feels very much like your omitted preamble is "just do what GH tells you and don't complain".
Well at least you used the right word, even if you didn't intend that meaning.
If your OSS project has meaningful users, and a bus factor of one, it's already under those same risks every day you wake up, but it has the added risk of a malicious actor taking control of your account.
> I assume you didn't mean this comment to sound so dismissive, but that's definitely how it reads. Feels very much like your omitted preamble is "just do what GH tells you and don't complain".
I mean, I am pretty dismissive of anyone making such a fuss about 2FA. It's not hard to use, and the benefits far outweigh any slight inconvenience.
As I said previously, the target audience for GitHub needs to use Git on a regular basis, which is at least several orders of magnitude more complex than entering an OTP occasionally when you login via the web.
I used contrived, because I meant contrived. They're invented.... until they happen.
While I'm pretty sure this will conflict with your world view. You don't understand the world in which I live better than me, and you don't understand my threat model better than I do. You'd convince a lot more people that you're right, if you even pretended like you believe that instead of acting like you're hot shit.
> If your OSS project has meaningful users, and a bus factor of one, it's already under those same risks every day you wake up, but it has the added risk of a malicious actor taking control of your account.
Passwords used correctly aren't less secure than passwords + 2fa. But they do increase the chance of lockout. And given human nature, if used incorrectly they might decrease it.
> I mean, I am pretty dismissive of anyone making such a fuss about 2FA. It's not hard to use, and the benefits far outweigh any slight inconvenience.
Well at least you're being honest about not caring about others. That's not nothing. But my advice to you, if you care about security, more than you care about being right, is to be less dismissive of people who think differently from you, maybe then you'll have a chance at convincing them of anything. Instead of what you're actually doing, which is trying to look cool on the Internet.
> and the benefits far outweigh any slight inconvenience ... the target audience for GitHub needs to use Git on a regular basis, which is at least several orders of magnitude more complex than entering an OTP occasionally when you login via the web.
to you... the benefit, inconvenient trade off is worth it to you... there are more scenarios than you can imagine. And I'd also argue you'd become better if you tried to fairly consider some of them, instead of being a douche. But you do make a point, it is more common that people who use gh more, are the most common users. It's not a good point, and it's what's known as a dick move, to everyone else that uses github slightly differently, but to hell with people different from you, right?
sigh
Well at least we're agreed your entire argument is based on made up theoretical scenarios, rather than the real world, where people's accounts are breached because of poor password security, literally on a daily basis.
> Passwords used correctly aren't less secure than passwords + 2fa.
What was that about acting like you're hot shit? There is essentially zero way for you to know that passwords are being "used correctly", because "used correctly" includes how they are stored and transmitted. You have no view into how the remote side stores or transmits passwords though. For all we know (yes this is a hyperbolic theoretical scenario), GitHub stores all passwords in plain text. Or md5'd, or some other equally laughable scenario. Or perhaps they log passwords during authentication. Or perhaps there's an unencrypted path between a load balancer and a backend application server, which is open to packet sniffing by peers in a datacenter, or any number of other issues that have shown to be real-world points of weakness to a password.
A big chunk of the benefit of TOTP based 2FA is that it greatly reduces the risk of replay style attacks. If you get the OTP I send (through logs or packet sniffing or whatever) it holds no long-term risk.
> Well at least you're being honest about not caring about others.
Straw man much? I didn't say I don't care about others. I'm very comfortable with the level of help/advice/expertise I offer to people who ask for it.
Nowhere in any comment I've seen on this post, has anyone asked for help or advice. A number of people have made ridiculously misleading, uninformed or just outright false statements, with absolute confidence. Hence why I said (in another comment, but still a reply to you):
> I'm blaming humans for wilful ignorance and insisting that there is no solution to problems they haven't tried to solve.
> there are more scenarios than you can imagine.
I'm sure there is probably some scenario where having 2FA enabled is a strictly worse scenario than password security alone.
But you'll want to have a pretty damn strong argument prepared, based on a real-world scenario before you should expect others to listen to what you have to say and take it seriously.
Right now you sound like a kid making up excuses about why they can't eat their vegetables.
(FWIW 2fa can be enabled on any phone now, both with totp and passkeys.)
You must neither be a "security geek" nor "someone who's written on how passwords should be considered harmful"
As an actual security geek, and one who has written on how to choose good passwords, I can assure you your worries are completely unfounded, and campaigning against 2fa is stupid at best
...but not wanting to use something that demonstrably makes you more secure (and is practically cost-free) does not make you look good
It will almost certainly be some shitty "We'll SMS your phone" thing in order to get your phone number.
And this will enable attacks from my phone that weren't there before.
Which actually makes me less secure.
It also means that Apple or Google can screw me on Github because they can lock me out of my phone.
It also provides a bunch of attack vectors like DDoSing my authenticator in order to get me to accidentally approve something.
And if my phone battery is dead, I can't log in.
And if my phone is stolen, I'm screwed.
None of these things improve MY security experience.
My git usage is pretty basic but I've always been a bit uncomfortable about the idea of pushing my code to the "cloud" so would love to learn more.
If you have a server with ssh access, you can set up a 'bare' git repo (obviously you should back it up to somewhere else. i.e. s3 as a tar ball) and that should work for you.
The TOTP QR codes decode to one of these URIs
How do you get that 'otpauth://totp/GitHub:username?secret=BLAHBLUBBLAH&issuer=GitHub' path? Is it something you have to grab from the browser console?
Had the idea to store my 2FA inside keepass. To my delight, this feature already exists and is supported in KeepassXC and Keepass2Android.