Ask HN: GitHub Requires 2FA – What For?
Alright this is not specific to GitHub. But given their recent change I'm noticing I cannot use their site anymore.
Why is it a good thing to couple your smart device like this? I specifically fear the day I cannot access any website with 2FA because I cannot restore from backup my device that has the original 2FA.
12 comments
[ 0.24 ms ] story [ 95.1 ms ] threadThis does change the 2fa from "something you know and something you have" to "two things someone else knows", but in day to day use it's way more convenient than a phone authenticator.
If any device dies, you can login on a new device with your master password and secret key. Typically you would print out the secret key and keep it somewhere safe, or else save it somewhere else you can access.
------
With standard 2fa you can also print put recovery codes, but that's such a pain to set every service back up when you change phones. Having them in the cloud means it's account based and not device based. Way easier, probably less secure.
I would guess this has more to do with the SEC's new reporting requirements. They seem to be treating credential stuffing attacks as breaches (which they aren't, at least not exactly) and putting the MFA burden on customers is an excellent way to prevent those.
Google Authenticator did not have this option until recently I believe.
Given the number of software projects that use github as their canonical distribution platform and the number of supply chain attacks due to hacks, it's no pretty obvious why they've started enforcing 2FA.