Ask HN: GitHub Requires 2FA – What For?

6 points by megamix ↗ HN
Alright this is not specific to GitHub. But given their recent change I'm noticing I cannot use their site anymore.

Why is it a good thing to couple your smart device like this? I specifically fear the day I cannot access any website with 2FA because I cannot restore from backup my device that has the original 2FA.

12 comments

[ 0.24 ms ] story [ 95.1 ms ] thread
Most (but not all) services that use 2FA allow you to set up backup codes so you can recover your password. There are plenty of options for non-smartphone token generators available. It would depend on your needs and what is available to you.
You can use something like 1Password to just save the 2fa to the cloud, so you can sign in on any device. In that case it's tied to your master password and secret key instead of a particular device.

This does change the 2fa from "something you know and something you have" to "two things someone else knows", but in day to day use it's way more convenient than a phone authenticator.

If any device dies, you can login on a new device with your master password and secret key. Typically you would print out the secret key and keep it somewhere safe, or else save it somewhere else you can access.

------

With standard 2fa you can also print put recovery codes, but that's such a pain to set every service back up when you change phones. Having them in the cloud means it's account based and not device based. Way easier, probably less secure.

You ask what for and I say to facilitate government surveillance. It helps promote the government's spy device. "Look at these jangling keys."
Because we can't trust our Operating Systems to do their jobs (they're structurally incapable of doing so), we have to trust every bit of code we run instead. GitHub is where a lot of code that gets executed is exchanged, therefor we have to beef up the security on GitHub. Thus, GitHub requires 2FA
I suspect GitHub’s insurance company has mandated it or gave notice that they intend to.
Possibly, but the insurer cares about GitHub, not its customers. If your account or even a thousand GitHub accounts get popped, the only risk to GitHub is reputational.

I would guess this has more to do with the SEC's new reporting requirements. They seem to be treating credential stuffing attacks as breaches (which they aren't, at least not exactly) and putting the MFA burden on customers is an excellent way to prevent those.

I can't address the primary concern here but the app I switched to for 2FA named 2FAS is able to back up all your codes in case the device gets affected. Either to Google account or a file.

Google Authenticator did not have this option until recently I believe.

To collect your phone number.
Install Authy, have synced 2FA to all your devices, no more issues.
Two factors of 2FA means any two of what you know, what you have, or what you are. The idea is that one factor is not enough, because a password can be compromised and then you are fucked. Somebody has successfully compromised my GitHub password in the past 2FA prevented them from gaining access even with my password.
When you registered for 2FA it will have given you backup tokens to be written down. They're designed for this exact situation.

Given the number of software projects that use github as their canonical distribution platform and the number of supply chain attacks due to hacks, it's no pretty obvious why they've started enforcing 2FA.