Personally, I like 2FA and I use it in some of my SAAS apps. It is relatively simple and just works.
However, I don't see how this applies to open source without some major operational changes.
An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity that is ingrained in the open source ethos.
1 comment
[ 2.8 ms ] story [ 12.4 ms ] threadHowever, I don't see how this applies to open source without some major operational changes.
An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity that is ingrained in the open source ethos.