1 comment

[ 2.8 ms ] story [ 12.4 ms ] thread
Personally, I like 2FA and I use it in some of my SAAS apps. It is relatively simple and just works.

However, I don't see how this applies to open source without some major operational changes.

An anonymous person issued a 2FA secret is still just as anonymous --- still free to use his secret in a supply chain attack. The structural problem is the anonymity that is ingrained in the open source ethos.