Mandatory 2FA #63738
-
Github now requires a phone and a subscription to use? What if I have neither? This is ridiculous. I have an e-mail, use that. I'm not maintaining a phone plan so that I can keep doing free work for projects. UpdateNo subscription needed, only smartphone with wifi access. To me personally, that's no longer outrageous. But. Not everyone has or can afford a smartphone. Github is supposed to be the open source leader - this goes against the mission. 2FA is significantly more secure and the "inconvenience" is a small price to pay when said security is needed. However, Github is yet to justify why this move is necessary, considering the downsides. I'm no security expert so it's best Github speak here. However, I'll lay a few prominent Pros & Cons to my mind: Pros: (1) password strength is ignored by keylogging; (2) irreparable damage can be done very quickly, before countermeasures are taken. Cons: (1) requiring smartphone ownership; (2) most users don't have something where irreparable damage is done to anyone but themselves (proprietary data etc), so it remains a personal choice - Github could instead narrow their mandate. |
Beta Was this translation helpful? Give feedback.
Replies: 51 comments 59 replies
-
Moreover SMS is not actually more secure than email, so the security claims are bullshit. |
Beta Was this translation helpful? Give feedback.
-
2FA is Mandatory, but Github website is broken and gives ERROR when using 2FA via Github mobile. 👏 👏 -.- This 2FA nonsense need to end... it prevents stealing account in like 0.1% of situations, but give issues in 50% of situations (that can even end with lost account) |
Beta Was this translation helpful? Give feedback.
-
Nobody can dictate me what I have to use. They forcing me to use 2FA, I'll move to BitBucket or GitLab. |
Beta Was this translation helpful? Give feedback.
-
If this authentication complexity increases the risk to fail to sign in my account, that doesn't mean safe |
Beta Was this translation helpful? Give feedback.
-
I agree that this is not a good move. I use MFA all the time and honestly hate it. It takes extra time, it interrupts my flow, it requires me to have access to my phone all the time, and it is especially aggravating when I'm working on a project that is SUPPOSED TO BE OPEN TO THE PUBLIC. I honestly don't care if some AI system or hacker or whatever "compromises" any of my public GitHub repos. In my view all of these companies moving for MFA is just so they can cover their own ass in the name of "enhanced security". There are many situations where MFA is only a cost and there is no benefit at all to end users. It's fine if they want to make this the default, but there should be a way to opt-out. |
Beta Was this translation helpful? Give feedback.
-
I absolutely hate the new 2FA requirements. |
Beta Was this translation helpful? Give feedback.
-
I have to say that I don't want to maintain a mobile app and potentially lose access to my account because of losing the phone. Can anyone clarify how exactly this is better than sending 2FA codes over email? |
Beta Was this translation helpful? Give feedback.
-
The requirement for 2FA is absurd. It should be opt-in, not forced on the user. It is, however, possible for somebody to steal my phone. I also do not approve of/appreciate the attempts by companies to force their way into every device I own. This needs to stop. I already have to use a verification code with my email when I log in. That should be sufficient as the 2nd factor in 2FA. I am not purchasing a physical authenticator just for GitHub, I am not going to install software on my phone just for GitHub. Forcing this onto users is not beneficial in any way. It's only value-added if it is optional. |
Beta Was this translation helpful? Give feedback.
-
I don't like this mandatory 2FA (without email as option) and mobile device dependency, I was ready to nuke my account and remove my open source projects... But I will tolerate just because my "2FA without a phone" workaround was so simple:
|
Beta Was this translation helpful? Give feedback.
-
None of these options are good.
I cannot install an emulator on my PC at work.
If my computer has to get rebuilt for any reason, I'd be locked out of the
account because that instance of the android phone would be gone.
If I travel and don't have my primary PC, i'd be locked out of the account
because that instance of the android phone would be gone.
If something happened in my house and my PC was destroyed for whatever
reason, I'd be locked out of the account because that instance of the
android phone would be gone.
I appreciate that you are trying to offer helpful suggestions but none of
these fix the root problem that is "2FA will make my account MORE
vulnerable to being permanently inaccessible"
There shouldn't be workarounds, there shouldn't be sneaky things we do to
avoid the issue. The problem needs to stop at the source. GitHub needs to
walk this back. Make it available to those that want it, but do not force
it on those that do not want it.
…On Thu, Aug 24, 2023 at 12:57 PM DarknessFX ***@***.***> wrote:
I don't like this mandatory 2FA (without email as option) and mobile
device dependency, I was ready to nuke my account and remove my open source
projects... But I will *tolerate* just because my "2FA without a phone"
workaround was so simple:
- Install any Android Emulator for PC, install Google Authenticator
app (or any other), complete Github 2FA.
—
Reply to this email directly, view it on GitHub
<#63738 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AWSXUNQTRSQX25DG63P2WX3XW6BWTANCNFSM6AAAAAA3QESJNU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
so there is YOU opensource 👎 what will happens with not validated acсounts? |
Beta Was this translation helpful? Give feedback.
-
i don't want to install an extra app on my phone just to login to github and my country isn't listed for sms authentication. |
Beta Was this translation helpful? Give feedback.
-
A sad trend, but apparently we will have to say goodbye to github. I also do not have the slightest desire to install additional software on the phone. It was a great resource for developers and creatives until it became an anal-enclosed sandbox. Perhaps we do not know something, and this is how it was originally intended. But as they say, the road to hell is paved with good intentions. |
Beta Was this translation helpful? Give feedback.
-
It does not give me any security to hand over my phone to Microsoft, quite the opposite. And as others have said, WTH has my phone to do with open source development anyway? None. I do not trust the intention behind this. Therefore, I will start the process to move away from Github, most likely to Gitlab. |
Beta Was this translation helpful? Give feedback.
-
Just adding my voice to the chorus: this absolutely stinks. This makes open-source development even harder for poor people, who don't happen to have a spare goddamn smartphone handy and reliable internet access. Personally, now I keep my 2FA backup codes in the same encrypted, cloud-synced password manager database file in which I already kept my GitHub password, because I'm not ever going to memorise more than 1 secure password unless there's a gun to my head, and even then it's 50:50. My phone is one of those computers that my password file syncs to, for obvious reasons. And my phone's 2FA needs to store its backup codes somewhere, so they're stored on my computer. In the same file. So what was the fucking point here? If they have my password database, I'm already in the absolute worst-case scenario. My GitHub password is written down in that password database and nowhere else. What situation could there possibly be wherein it's more secure for two computers (a desktop and a phone) to send some hash of the same duplicated set of secret data? 2FA using a phone is either a serious danger of locking you out of your data forever, or it's no more secure whatsoever. There's no win here. 2FA lockouts are only anything short of a total catastrophe when there's other people who can still access the data and personally verify you're not a threat. This is an idea for protecting organisations that's been stupidly forced upon millions of individuals. |
Beta Was this translation helpful? Give feedback.
-
Update: gnome-authenticator worked, while otpclient did not. This stuff needs to be better documented. Hopefully it's backup file will let me install this to the laptop so it too can be used. At least in my case, a stolen machine cannot be used to login as they are encrypted |
Beta Was this translation helpful? Give feedback.
-
It's their website. If they want to destroy it by driving all the intelligent developers away, so be it. Keep all the "follow the crowd" developers and watch the value of GitHub plummet. Sad to see such a great platform destroyed by incompetent and ignorant leadership. |
Beta Was this translation helpful? Give feedback.
-
Try using gnome-authenticator instead of SMS. It produces a verification code from a seed value
given to it when you add the account in question.
Had this been SMS-only I would have had to close my account for several reasons: no stable
phone number, phone number and phone ownership have to be deniable in my case, and
my browsers are set up to block all of Google including Recaptcha.
|
Beta Was this translation helpful? Give feedback.
-
I am in a similar position. I have no smartphone (nor do I have a need to use one), Mandatory 2FA dictated by our github Overlords - aka Microsoft - means I am
That's true. Even more surprising is that Gitlab is even more annoying to use than |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Best to migrate and leave this shitshow of a microsoft website behind
…On Thu, Mar 14, 2024 at 10:02 AM DVT7125 ***@***.***> wrote:
Not everyone has or can afford a smartphone.
As for me, I am a *student*, *I don't have a phone* and I just got the
"in 45 days you need to have 2fa". I already hate the email verify at
school, having to boot up a replit chrome browser just to log into my email
to get some stupid code, and NOW I need a phone? And reading this:
image.png (view on web)
<https://github.com/community/community/assets/99568947/8cc80018-13e6-4f64-a6cb-192824e029cf>
I will LOSE access to stuff?? Why??? My password is secure, I am not a
moron on security for crying out loud.
Concerning "boycotts" and such: at some point it's time to put down
pitchforks and admit it's not *that* bad. It's fair to still complain,
but doomcalling everything isn't productive.
"Second passwords" were argued as desired alternatives, and it's exactly
what we have now.
And too this, I agree, and I know what I just wrote is against it, but I
can't install a auth app on a school laptop.
And yes, I can do it on my home computer, but now what, I can't upload my
code from school to home??
And because I can't just opt out, now what?
I need *your help*. How can I either
A: Do the 2fa, and not need a phone, or a Linux environment on my school
laptop as it's blocked.
B: Or switch to another platform. I don't want to do this, I like the
features of GitHub, and I don't want it to migrate my stuff, but if I do,
i'll do it.
—
Reply to this email directly, view it on GitHub
<#63738 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMVH3MCZNJYDWQJHICDXYTYYGUW5AVCNFSM6AAAAAA3QESJNWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DOOBWHAZDA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Phillip J Rhoades
HowToPhil.com
KE8GGD
|
Beta Was this translation helpful? Give feedback.
-
The time has come to realize that Github (owned by Microsoft) is failing
as a hub for open source, because open source providers are required to
offer personal information to Microsoft or lose control over their own
work.
|
Beta Was this translation helpful? Give feedback.
-
repons #112526 |
Beta Was this translation helpful? Give feedback.
-
Since I am on a desktop, I can use the GNOME "authenticator" app without divulging a phone number. If I did not have my own Linux boxes I would have to leave Github but this would not matter as much because I would also be unable to
work on MATE.
|
Beta Was this translation helpful? Give feedback.
-
I am not really able to help with this as I was barely able to deal with it myself.
Had the GNOME authenticator app failed due to any bug, since the first application I
tried did not work I would probably have thrown in the towel. Quite likely I would have
had to walk away from the MATE project over this, as I do refuse to have any
accounts on any sites with SMS "verification" or SMS as 2FA. That is because
ownership of my phone must be deniable.
|
Beta Was this translation helpful? Give feedback.
-
Now github is trying to force me to use the invasive 2FA instead of just using a number you can easily get from Google Voice |
Beta Was this translation helpful? Give feedback.
-
Answering via email: It's long past time to leave github
…On Thu, Jun 27, 2024 at 9:29 PM Featherwhisker ***@***.***> wrote:
Now github is trying to force me to use the invasive 2FA instead of just
using a number you can easily get from Google Voice
—
Reply to this email directly, view it on GitHub
<#63738 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMVH3O4P27UWDBR24SJ5QLZJS355AVCNFSM6AAAAAA3QESJNWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQOJZG4ZDK>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Phillip J Rhoades
HowToPhil.com
KE8GGD
|
Beta Was this translation helpful? Give feedback.
-
A new concern with this came up with a "nudge" from Github to set up a second, backup 2FA approach. If Github says I have to set up a second 2FA method or be locked out, I will walk away from github's website on that day on the grounds of having no other choice. Would still be able to push to repos and anyone can pull from these public repos, but would only be able to communicate with the team by email replies. That might actually work for a while but I have to assume eventially something would break I was barely able to get one method of 2FA to work, now that lower hanging fruit has been picked. I was barely able to get ONE method (GNOME authenticator) to work,I do not have hardware token devices and I do not allow any website to know my phone number as I intend to keep ownership of that phone deniable. I have my recovery codes backed up to multiple places, so danger of being accidently locked out is low. The account is simply not valuble enough to justify allowing proof of ownership of my phone, or having to shop online (which I do not do and which cannot be done with my privacy browsers) for specialized hardware not commonly found in stores. Not going to happen, and sure as hell not Google Voice after all the work I've done to lock out Google. Having to walk away from github entirely would make my wayland work on MATE much harder unless one of the other team members wanted to pull from a fork on Gitlab, or if gitlab goes that way too, patches from archive.org. I cannot migrate the project, only fork repos from it. With no landline I cannot host a repo locally either. Best option if I get advance warning of such a thing might be to ensure I have a fork of every repo under my own username and keep them current from the command line. I would be able to push branches but not create PR's, so it might be less disruptive to keep this on my own repos unless otherwise instructed. At least someone getting locked out of their account doesn't pose a security risk to 3ed parties at all, so their should be no excuse for locking anyone out for lack of a second, backup 2FA method. |
Beta Was this translation helpful? Give feedback.
-
Why does 2FA have to be manndatory? I use GitHub to host all of my open source stuff and I don't have a phone. I don't ever want one, either. This is stupid. |
Beta Was this translation helpful? Give feedback.
There is no 2FA,
practically. Phone is used once - then you get recovery codes, basically "second password". They're one-time use, but you can always generate new.
This entire situation is just Github being bad at communicating.
And, that's cool but, they've still screwed over those who lack smartphones, and can't afford them. I was one of them not that long ago. If using recovery codes each time is acceptable, then I think the requirement should be left at that, and be as annoying nagging as they want on the optional mobile 2FA.
Re: protests
Concerning "boycotts" and such: at some point it's time to put down pitchforks and admit it's not that bad. It's fair to still complain, but doomcal…