Ask HN: Git hosting sites that do not require 2FA?
Today I had a big ugly banner on top of Github: Use 2FA or your account will be disabled in January.
I don't want to use 2FA. It may be better security but I don't care, I don't want to use it for anything except my bank accounts.
I have my password manager and can login with 1 click to all my sites. 2FA is always a pain in the ass and always extra effort on something my password manager already protects me from.
What's a good alternative that does not require 2FA to sign in and use it?
58 comments
[ 7.3 ms ] story [ 121 ms ] threadIf you use a token generator (Google Authenticator, Authy, or the one built into products like 1Password), a shared secret key is used to generate the MFA token. You store this secret in that software, and it uses the current time + that secret key to generate the MFA token.
This is a far better mechanism than the SMS or phone call based approach. And in this mechanism you can store the secret in any software that's able to generate the token using that algorithm.
Most commonly it's this algorithm: https://datatracker.ietf.org/doc/html/rfc6238
I use my password manager for 2FA for low value accounts. High value ones I use a separate mobile app. I only use SMS when the service forces me to because they don't support anything else.
The risk here is of course that if your password manager is compromised, your second factor has no security value. For some cases people might be okay with that. In many cases I'm more concerned about a password being leaked rather than my password manager being compromised. For anything with significant value to me, I use a separate 2FA app though. In this case if my password manager was compromised, 2FA gives me some added security.
I use passkeys in 1Password for GitHub access
Limitless private git repositories.
Also, git has a built in web server.
https://git-scm.com/docs/gitweb
As far as other origins, I have been a fan of gitlab and wanna try out sourcehut.
Go with the time and accept that 2FA everywhere is good and the norm. As someone else mentioned: Browser-integrated password managers can autofill 2FA for you, meaning there's no extra hassle needing to lookup, copy, paste & confirm an extra step.
Meaning that it defeats the entire point of 2FA. 2FA used in this way is only security theater.
https://news.ycombinator.com/item?id=10845985
https://news.ycombinator.com/item?id=11136948
If someone compromised your password store, then yeah it's all over. But if the compromise happens elsewhere, it can be a useful layer to the security onion.
But 2FA still helps if a single password was leaked/bruteforced/phished, and afaict most password managers in autofill mode recognize the browser url, so it’s quite phising safe (2nd factor won’t be autofilled on wrong website)
Security is not binary, and 2fa via password manager is still much better than no 2fa; it’s not pointless.
Why? It depends on your scenario. If it is “attacker gets hold of my wallet” then yes, you’re screwed.
But 2FA still helps if a single password was leaked/bruteforced/phished, and afaict most password managers in autofill mode recognize the browser url, so it’s quite phishing safe (2nd factor won’t be autofilled on wrong website)
Security is not binary, and 2fa via password manager is still much better than no 2fa; it’s not pointless.
https://f-droid.org/en/packages/io.ente.auth/
like google authenticator, their break all RFCs and recommendations, and store the seed and keys in their servers (or yours, it's open source both ways, but we know it won't happen).
Differently from googleAuthenticator, i can trust them a little as they went thru 3rd party certification of the backup end to end encryption :thumbs-up
Back on topic though: I run a local Forgejo/Gitea instance which doesn't have 2FA (or the maturity of the bigger forges if we are being honest). Could be worth a look if you are up to self hosting it.
So I think there are a few potential issues with this argument based on assumptions you're making. I'd argue this isn't entirely true because:
1. Many password managers allow you to manually copy the password into your clipboard, which mean you could paste it somewhere that's unsafe / untrusted. Someone could then use this password to authenticate as you. Many sites disallow token reuse, so once used if you accidentally pasted that somewhere as well an attacker couldn't reuse the token.
2. Similarly, if someone has managed to exfiltrate login details you provide without being able to also obtain the session cookie sent back, and the site enforces one time use of MFA tokens, then the MFA token can also avoid a replay attack of your login details.
I'll admit the second one may be a bit contrived, because if they can exfiltrate login details it seems likely they could also just obtain the session cookie. But if said cookie is tied to a certain IP address, then that cookie is useless to them and they wouldn't be able to replay the credentials.
Losing your authenticator and recovery codes means the account is lost permanently. This feels like a bigger threat to my account security than not having 2FA. Not saying it _is_ a bigger threat, but it feels like a bigger threat.
You know a much easier and way more probable way to lose an account? If the password gets leaked/intercepted and there's no other security check.
https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my...
If you get a yubikey, it's very convenient to use. Your password manager can't protect you from phishing attacks. As someone who has seen probably 10's of thousands of phishing attacks, I am not confident I can identify one if it is sufficiently well crafted. In your mindset, you are fully sold that you are logging into the right place when you fall for one.
https://github.com/nathants/git-remote-aws
GitHub is doing something the world needs: putting better security on a huge chunk of the open source software that is shared and relied upon by literally all of humanity.
Any repo, anywhere, has the chance to become a part of the open source ecosystem. Strongly authenticated developer accounts on those repos is critical for everyone's security. It sucks that we are here, but here we are. Password managers are almost enough to save us, but not quite.
I think it is fair to complain about particular factors of 2FA (e.g. TOTP or Yubikey or iPhone Passkey or SMS or whatever). And it's fair to complain that the session timeout on a strongly authenticated persistent session cookie should be user-managed (30 days? no problem! 90 days? I trust my device enough for an API key, why not a cookie?).
And all your command-line stuff is already API key-based on GitHub...
But good 2FA offers real security against a lot of threats. I hope more people embrace it.
https://media.tenor.com/vJLaS5etgRwAAAAd/shit-wow.gif
It would be like if Reddit started requiring 2FA to 'protect my account'.
If I was using GH in a professional capacity, this would be different. But I guess I resent that I don't get to make the choice. Security Daddy at GitHub thinks I'm too stupid.
Why? It depends on your scenario. If it is “attacker gets hold of my wallet” then yes, you’re screwed.
But 2FA still helps if a single password was leaked/bruteforced/phished, and afaict most password managers in autofill mode recognize the browser url, so it’s quite phising safe (2nd factor won’t be autofilled on wrong website)
Security is not binary, and 2fa via password manager is still much better than no 2fa; it’s not pointless.
- Your decision makes me sad, ketchup is great
- Get with the times, everyone has ketchup, you should too, it's good for you
- It's a weird thing to be hung up on, just eat the ketchup
- You could scrape it off with a knife
etc etc ...
It’s more like: people have been getting food poisoning from the shared soda machines, and now McDonalds require you to wear gloves before using the machine. Then OP and you are like:
- I don’t care about getting or giving others food poisoning.
- Putting on gloves is too annoying.
- I’d rather get food poisoning than put on a glove.
- I’m clean, trust me bro.
People have already recommended selfhosted alternatives like gitea.
Then OP and you are like:
No, the OP asked a question and I gave an actual answer to that question: https://news.ycombinator.com/item?id=38452286
I use GH only a few times a year, mostly to report bugs but sometimes to comment on issues where I've been asked to chime in for a FOSS project.
For me (someone without a smart phone or dedicated security hardware), the increased activation barrier for using GH doesn't seem worth my effort to figure things out.
If the soda machine is leaking, I'll just email one of the developers instead.
FWIW, I use and pay for Sourcehut hosting. I don't like the near-monopoly dominance of Microsoft, and the ever-increasing dependence of FOSS development on a proprietary back-end.
Added: for clarity, while they do not require SMS/email/fingerprint/yubikey they do have an "app code" thingy which means that whenever you push, pull, etc you will have to enter one extra password.
That PW can be stored in your PW manager like any other PW
Instead of looking to disable 2FA, look to speed-up providing 2FA codes.
Most passwords managers support auto-filling 2FA codes. Yes, some are still super-old school and only support SMS and email. But Safari on macOS (for example) can pre-fill the texted/emailed codes (as long as Mail.app is open, and/or your phone is paired with your computer).
Even better/faster? Passkeys. GitHub supports them, and they’re the fastest (and most secure?) login solution.
There are all sorts of solutions for this problem outside of making security worse.