2FA Is No Good
GitHub requires it (although it is unclear if it is required for API access; I almost entirely use the API access anyways), but that doesn't help. Also, the method of setting it up does not even work (it just gets stuck in a loop) (and other people are complaining about this too, so it is not only me).
Some people say it may make it less secure, which is possible (since you will need to add other things to handle it, including recovery codes).
Some people say it allows Microsoft to spy on you, but TOTP doesn't allow anyone to spy on anyone. Some say it requires a mobile phone, but TOTP does not require that either.
What would actually help security on GitHub (or other git hosting services) are two things: X.509 client certificates and signed releases (both should probably be used together). Neither requires JavaScripts, and neither makes it possible to steal your credentials. This also has other advantages, e.g. single-sign-on.
4 comments
[ 3.2 ms ] story [ 21.1 ms ] threadAnother option is to disable internet access all together for accounts associated with brick-and-mortar businesses. I have done this with a few institutions as well that did not have options for a static IP requirement. These businesses know my face. I also joke with them that if someone pretends to be me they should call the Sheriff for a good show they will do it and it will be on camera.
I am biased against cell phones so I can't really add anything there. Having built out a cellular network in two states and testing hundreds of prototypes prior to smart phones and seeing how tightly integrated these companies are with governments and how proprietary the firmware and hardware is I just can not trust them. Perhaps my opinion will change in a few hundred years or so. If people trust their phones then an open source VPN that routes their traffic through their home static IP address would be an option.
I do not have a cell phone either and I do not want one.
Hard disagree. That's one person out of the billions that is your potential adversary and highly unlikely at that. It is highly improbably that person with either know they have your old IP or that they would be a risk. Even limiting login to a ASN# or large CIDR block is monumentally better than allowing the entire internet to brute force ones account.
As an example I have a few services that I do not really care about but I still limit logins to the CIDR of my ISP. That means most of my country and all of the other countries can bang away or pound sand all day and night for millions of years and they will get nowhere.
(I think X.509 client certificates would work better. The private key can optionally be passworded, which makes something like a kind of better 2FA than the existing one. But, like I also mentioned, authenticating with the server is not the only issue; there is also the issue of authenticating with other users, and signed commits and signed releases will be helpful for that.)