Mandatory 2FA

[OverLordGoldDragon]

Github now requires a phone and a subscription to use? What if I have neither?

This is ridiculous.

I have an e-mail, use that. I'm not maintaining a phone plan so that I can keep doing free work for projects.

Update

No subscription needed, only smartphone with wifi access. To me personally, that's no longer outrageous.

But. Not everyone has or can afford a smartphone. Github is supposed to be the open source leader - this goes against the mission.

2FA is significantly more secure and the "inconvenience" is a small price to pay when said security is needed. However, Github is yet to justify why this move is necessary, considering the downsides.

I'm no security expert so it's best Github speak here. However, I'll lay a few prominent Pros & Cons to my mind: Pros: (1) password strength is ignored by keylogging; (2) irreparable damage can be done very quickly, before countermeasures are taken. Cons: (1) requiring smartphone ownership; (2) most users don't have something where irreparable damage is done to anyone but themselves (proprietary data etc), so it remains a personal choice - Github could instead narrow their mandate.

[talchas]

Moreover SMS is not actually more secure than email, so the security claims are bullshit.

[HelloMukama]

It's honestly the most annoying 2FA process I have ever attempted on the internet.
It keeps refusing pointing me to some error page of the Recaptcha having failed, even when I clearly take my time to fill the 10 steps correctly.
When I pass, I for some reason blocks my ability to immediately receive a SMS code telling me to wait an hour.
Attempted it twice in intervals of more than 1 hour and it sucks.

At the end of the process, I still failed to get it right.
What the heck is the reason for 10 steps to verify that I am human?
And when I verify, why point me to some dumb ass error that I encountered an error during verification.

I dont have all day at github.com just to keep trying to verify. WTF

[ZetsuBouKyo]

It could be a honeypot designed to identify anonymous users.

[Mlocik97]

2FA is Mandatory, but Github website is broken and gives ERROR when using 2FA via Github mobile. 👏 👏

-.- This 2FA nonsense need to end... it prevents stealing account in like 0.1% of situations, but give issues in 50% of situations (that can even end with lost account)

[ghost]

What else to expect from microsoft. Since they have GitHub purchased all goes to hell.

[Mlocik97]

Even after weeks, it still gives same error.

[Vulps22]

I went abroad for 6 months 5 years ago
lost my phone abroad
came home and immediately ordered a new device (on a new contract... with a new number... better value for money)
cookies expired on my pc for facebook, google mail and microsoft
Facebook had 2FA using my microsoft email
Google had 2FA using authenticator
Microsoft had 2FA using my mobile number

never regained access to any of them
was using onedrive for photo storage, lost every file and photo i had from my childhood because of 2FA

IMHO 2FA is not worth the extra security except in highly sensitive systems (like your bank)

this whole idea that it should be on every service we use is utter nonsense, I didn't need it on any of those services, and i wish i could disable it on github

[Mlocik97]

4th mail about "ACTION REQUIRED - SET 2FA" and yet, I FUCKING CAN'T BECAUSE YOUR SYSTEM IS BROKEN!!!! FUCK YOU MICROSOFT! FUCK YOU GITHUB!

[Mlocik97]

tried today again, as every day.... today 24th september they fixed first error.

Still it fails at passkey... all I can use is password + SMS... and we know SMS is really weak factor of auth... so what is increased security here? Nothing. They don't care about security, they only want to know your phone number and more data, and have access to mobile device via their app.

[ghost]

Nobody can dictate me what I have to use. They forcing me to use 2FA, I'll move to BitBucket or GitLab.

[ghost]

Thanks, I'll research it. Nice to have more options.

[twome]

Yeah this is the last straw for me I think

[charterchap]

I'd be fine with it if you had to use 2fa for select actions, like adding a key - but for my everyday log in, no thanks.

[technik]

Gitlab is the same shit. I just tried registering and not only will they force you into 2fa too, they also ask for your credit card even for the free version.

[hitzhangjie]

If this authentication complexity increases the risk to fail to sign in my account, that doesn't mean safe

[mo-nathan]

I agree that this is not a good move. I use MFA all the time and honestly hate it. It takes extra time, it interrupts my flow, it requires me to have access to my phone all the time, and it is especially aggravating when I'm working on a project that is SUPPOSED TO BE OPEN TO THE PUBLIC. I honestly don't care if some AI system or hacker or whatever "compromises" any of my public GitHub repos. In my view all of these companies moving for MFA is just so they can cover their own ass in the name of "enhanced security". There are many situations where MFA is only a cost and there is no benefit at all to end users. It's fine if they want to make this the default, but there should be a way to opt-out.

[evan-klein]

I absolutely hate the new 2FA requirements.

[Zeex]

I have to say that I don't want to maintain a mobile app and potentially lose access to my account because of losing the phone.

Can anyone clarify how exactly this is better than sending 2FA codes over email?

[howtophil]

2FA is "security theater"

It is not more secure than a strong password.

[ghost]

It is better for micro$oft: easier to steal personal data from your mobile device.

[Harem-Rose]

The requirement for 2FA is absurd. It should be opt-in, not forced on the user.
It doesn't increase the safety of my account in any way.
Instead, it increases the threat surface that my account can suffer.
Nobody is going to get into my account by guessing the password. Nobody is going to get into my account by using a password from another website. I do not use repeat passwords. I do not write them down. I do not use password managers.

It is, however, possible for somebody to steal my phone.
Moreover. Due to the nature of my work, I cannot even have a mobile device with me at work. It cannot be in the building, it cannot be near the building. It must remain in the vehicle, powered off. Additionally, I may find myself located in a part of the world where my phone does not function due to being a US phone. I would be unable to access my account as a result of this.

I also do not approve of/appreciate the attempts by companies to force their way into every device I own. This needs to stop.

I already have to use a verification code with my email when I log in. That should be sufficient as the 2nd factor in 2FA. I am not purchasing a physical authenticator just for GitHub, I am not going to install software on my phone just for GitHub. Forcing this onto users is not beneficial in any way. It's only value-added if it is optional.

[DarknessFX]

I don't like this mandatory 2FA (without email as option) and mobile device dependency, I was ready to nuke my account and remove my open source projects... But I will tolerate just because my "2FA without a phone" workaround was so simple:

• Install any Android Emulator for PC, install Google Authenticator app (or any other), complete Github 2FA.

[ghost]

install 2 possibly compromised pieces of software for security, no wonder everything gets hacked, I can manually trunk my source on my machine, for about the same space, and effort without adding 2 pieces of software with x amount of security holes each from the software or its depends

[Harem-Rose]

None of these options are good. I cannot install an emulator on my PC at work. If my computer has to get rebuilt for any reason, I'd be locked out of the account because that instance of the android phone would be gone. If I travel and don't have my primary PC, i'd be locked out of the account because that instance of the android phone would be gone. If something happened in my house and my PC was destroyed for whatever reason, I'd be locked out of the account because that instance of the android phone would be gone. I appreciate that you are trying to offer helpful suggestions but none of these fix the root problem that is "2FA will make my account MORE vulnerable to being permanently inaccessible" There shouldn't be workarounds, there shouldn't be sneaky things we do to avoid the issue. The problem needs to stop at the source. GitHub needs to walk this back. Make it available to those that want it, but do not force it on those that do not want it.

…

On Thu, Aug 24, 2023 at 12:57 PM DarknessFX ***@***.***> wrote: I don't like this mandatory 2FA (without email as option) and mobile device dependency, I was ready to nuke my account and remove my open source projects... But I will *tolerate* just because my "2FA without a phone" workaround was so simple: - Install any Android Emulator for PC, install Google Authenticator app (or any other), complete Github 2FA. — Reply to this email directly, view it on GitHub <#63738 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWSXUNQTRSQX25DG63P2WX3XW6BWTANCNFSM6AAAAAA3QESJNU> . You are receiving this because you commented.Message ID: ***@***.***>

[NS-Clone]

so there is YOU opensource 👎
what next?
we must put there scan of passport?

what will happens with not validated acсounts?
flagging and 404?

[ghost]

That is the thing, they don't even specify what will happen if you reject 2FA.

They write: "You will need to enable two-factor authentication on your account before October 12, 2023, or be restricted from account actions."

The use threatening language is an insult to the github to community.

I have not been able to find out what "be restricted from account actions" means. Github support is silent when asking for clarification.

[PiKeyAr]

From the little information I could scavenge from various community posts, it seems like they won't let you log in to the site, but you will still be able to push via Git if you authorized it before the lockdown. The "security" stuff is just for show of course. The real intention has nothing to do with security.

[ghost]

@PiKeyAr I can confirm this, just got a response from github support, and the short version is that to login to your account on github.com after October 1, 2023, you must enable 2FA. So to delete your account, for example, you need to enable 2FA. Repositories will be left untouched, and pushing to repos will apparently still work.

[Sakitoshi]

i don't want to install an extra app on my phone just to login to github and my country isn't listed for sms authentication.
this 2fa implementation is a joke.

[LessNick]

A sad trend, but apparently we will have to say goodbye to github. I also do not have the slightest desire to install additional software on the phone. It was a great resource for developers and creatives until it became an anal-enclosed sandbox. Perhaps we do not know something, and this is how it was originally intended. But as they say, the road to hell is paved with good intentions.

[arnholm]

It does not give me any security to hand over my phone to Microsoft, quite the opposite. And as others have said, WTH has my phone to do with open source development anyway? None. I do not trust the intention behind this. Therefore, I will start the process to move away from Github, most likely to Gitlab.

[howtophil]

It's more useless crap used to tie phones to people.

[ghost]

They hope to link online personas to real individuals because they can't stop scary hackers any other way, good point

[howtophil]

They just want to invade privacy and sell data.

[ghost]

I have moved my repos to GitLab, worked very well to import them over, was easy!

[twome]

Just adding my voice to the chorus: this absolutely stinks. This makes open-source development even harder for poor people, who don't happen to have a spare goddamn smartphone handy and reliable internet access. Personally, now I keep my 2FA backup codes in the same encrypted, cloud-synced password manager database file in which I already kept my GitHub password, because I'm not ever going to memorise more than 1 secure password unless there's a gun to my head, and even then it's 50:50.

My phone is one of those computers that my password file syncs to, for obvious reasons. And my phone's 2FA needs to store its backup codes somewhere, so they're stored on my computer. In the same file. So what was the fucking point here? If they have my password database, I'm already in the absolute worst-case scenario. My GitHub password is written down in that password database and nowhere else. What situation could there possibly be wherein it's more secure for two computers (a desktop and a phone) to send some hash of the same duplicated set of secret data? 2FA using a phone is either a serious danger of locking you out of your data forever, or it's no more secure whatsoever. There's no win here.

2FA lockouts are only anything short of a total catastrophe when there's other people who can still access the data and personally verify you're not a threat. This is an idea for protecting organisations that's been stupidly forced upon millions of individuals.

[howtophil]

https://github.com/howtophil/No2FA is the last project I currently plan to make on GitHub unless they roll back this 2FA nonsense.

[twome]

How do we turn this into a formal protest?

Probably making a boycott organisation (wherein important maintainers could migrate their repos out of GitHub until demands are met), and also reaching out to GitHub employees or tech unions (I'm not sure if any are unionised) about potential strike action. In the current climate the latter is a stretch, but in a culture of regular striking and strong unions this kind of demand to protect customers/clients/broader society as well as workers used to be commonplace. GitHub employees have protested & resigned before regarding Palantir & ICE. Unfortunately according to this log of strike actions, and in keeping with the generally rightwing culture of IT/programming, the IT sector hasn't seen much industrial action in the last few years.

[arnholm]

@howtophil I forked your No2FA project and modified the link to where I am migrating. I suggest others do the same.

[howtophil]

Sounds like a good plan to me.

[lukefromdc]

I entirely favor the strike. Real worst case: my MATE wayland work is developed privately, on my own machine, and the resulting source code is offered as patches against git master or against a release plus as patched tarballs on archive.org. I do not have a stable phone number-and I am subject to a conflicting security requirement for deniable ownership of phones and computers.

I am hoping I can stay on the MATE team, but I have to put the security of the my devices ahead of this, and may have to walk away from my account as I did from all the US email providers a decade ago.

[lukefromdc]

Update: gnome-authenticator worked, while otpclient did not. This stuff needs to be better documented. Hopefully it's backup file will let me install this to the laptop so it too can be used. At least in my case, a stolen machine cannot be used to login as they are encrypted

[WingsLikeEagles]

It's their website. If they want to destroy it by driving all the intelligent developers away, so be it. Keep all the "follow the crowd" developers and watch the value of GitHub plummet. Sad to see such a great platform destroyed by incompetent and ignorant leadership.

[lukefromdc]

Try using gnome-authenticator instead of SMS. It produces a verification code from a seed value given to it when you add the account in question. Had this been SMS-only I would have had to close my account for several reasons: no stable phone number, phone number and phone ownership have to be deniable in my case, and my browsers are set up to block all of Google including Recaptcha.

[rubyFeedback]

Try using gnome-authenticator instead of SMS.

I am in a similar position. I have no smartphone (nor do I have a need to use one),
but I also don't see the point why I'd have to use gnome-authenticator. I am free
of gnome. Linux is all about choice. I don't use systemd either and I have a set of
ruby-scripts that powers (including compiling) all software from source whenever
that is possible (I use a modified LFS/BLFS variant).

Mandatory 2FA dictated by our github Overlords - aka Microsoft - means I am
excluded from contributing code. I can still participate in issues discussion (which
is admittedly the only point of using github, anyway, as far as I am concerned),
until the day that becomes restricted by the Uberlords as well.

Gitlab is the same shit

That's true. Even more surprising is that Gitlab is even more annoying to use than
Github. It's similar with Google by the way: Google crippled its search engine in
the last years, so I was using DuckDuckGo hoping I get better results. And they
managed to be even worse than Google search. We are going backwards here:
mega-corporations run the show, and the quality of things that worked fine
constantly decreases. That can not be a coincidence anymore. The rise of worse
of The Suck has won ...

[ghost]

Not everyone has or can afford a smartphone.

As for me, I am a student, I don't have a phone and I just got the "in 45 days you need to have 2fa". I already hate the email verify at school, having to boot up a replit chrome browser just to log into my email to get some stupid code, and NOW I need a phone? And reading this:

I will LOSE access to stuff?? Why??? My password is secure, I am not a moron on security for crying out loud.

Concerning "boycotts" and such: at some point it's time to put down pitchforks and admit it's not that bad. It's fair to still complain, but doomcalling everything isn't productive.

"Second passwords" were argued as desired alternatives, and it's exactly what we have now.

And too this, I agree, and I know what I just wrote is against it, but I can't install a auth app on a school laptop.
And yes, I can do it on my home computer, but now what, I can't upload my code from school to home??
And because I can't just opt out, now what?
I need your help. How can I either
A: Do the 2fa, and not need a phone, or a Linux environment on my school laptop as it's blocked.
B: Or switch to another platform. I don't want to do this, I like the features of GitHub, and I don't want it to migrate my stuff, but if I do, i'll do it.

[lukefromdc]

In that situation, Github may have become incompatable with your available HARDWARE. If you don't want to shell out money for hardware you have no other need for, migration should not cost anything but time and also has a lower environmental cost

[howtophil]

Best to migrate and leave this shitshow of a microsoft website behind

…

On Thu, Mar 14, 2024 at 10:02 AM DVT7125 ***@***.***> wrote: Not everyone has or can afford a smartphone. As for me, I am a *student*, *I don't have a phone* and I just got the "in 45 days you need to have 2fa". I already hate the email verify at school, having to boot up a replit chrome browser just to log into my email to get some stupid code, and NOW I need a phone? And reading this: image.png (view on web) <https://github.com/community/community/assets/99568947/8cc80018-13e6-4f64-a6cb-192824e029cf> I will LOSE access to stuff?? Why??? My password is secure, I am not a moron on security for crying out loud. Concerning "boycotts" and such: at some point it's time to put down pitchforks and admit it's not *that* bad. It's fair to still complain, but doomcalling everything isn't productive. "Second passwords" were argued as desired alternatives, and it's exactly what we have now. And too this, I agree, and I know what I just wrote is against it, but I can't install a auth app on a school laptop. And yes, I can do it on my home computer, but now what, I can't upload my code from school to home?? And because I can't just opt out, now what? I need *your help*. How can I either A: Do the 2fa, and not need a phone, or a Linux environment on my school laptop as it's blocked. B: Or switch to another platform. I don't want to do this, I like the features of GitHub, and I don't want it to migrate my stuff, but if I do, i'll do it. — Reply to this email directly, view it on GitHub <#63738 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMVH3MCZNJYDWQJHICDXYTYYGUW5AVCNFSM6AAAAAA3QESJNWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DOOBWHAZDA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Phillip J Rhoades HowToPhil.com KE8GGD

[arnholm]

The time has come to realize that Github (owned by Microsoft) is failing as a hub for open source, because open source providers are required to offer personal information to Microsoft or lose control over their own work.

[ghost-viper2607]

repons #112526

[ghost-viper2607]

help me

[lukefromdc]

Since I am on a desktop, I can use the GNOME "authenticator" app without divulging a phone number. If I did not have my own Linux boxes I would have to leave Github but this would not matter as much because I would also be unable to work on MATE.

[lukefromdc]

I am not really able to help with this as I was barely able to deal with it myself. Had the GNOME authenticator app failed due to any bug, since the first application I tried did not work I would probably have thrown in the towel. Quite likely I would have had to walk away from the MATE project over this, as I do refuse to have any accounts on any sites with SMS "verification" or SMS as 2FA. That is because ownership of my phone must be deniable.

[WindClan]

Now github is trying to force me to use the invasive 2FA instead of just using a number you can easily get from Google Voice

[lukefromdc]

Google Voice isn't an option for everyone. I have kept both Google and Facebook all the way out of my life and certainly would not invite them in for any reason. Every box I own is a fugitive from both Google and Meta

[howtophil]

Answering via email: It's long past time to leave github

…

On Thu, Jun 27, 2024 at 9:29 PM Featherwhisker ***@***.***> wrote: Now github is trying to force me to use the invasive 2FA instead of just using a number you can easily get from Google Voice — Reply to this email directly, view it on GitHub <#63738 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMVH3O4P27UWDBR24SJ5QLZJS355AVCNFSM6AAAAAA3QESJNWVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQOJZG4ZDK> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Phillip J Rhoades HowToPhil.com KE8GGD

[lukefromdc]

A new concern with this came up with a "nudge" from Github to set up a second, backup 2FA approach.

If Github says I have to set up a second 2FA method or be locked out, I will walk away from github's website on that day on the grounds of having no other choice. Would still be able to push to repos and anyone can pull from these public repos, but would only be able to communicate with the team by email replies. That might actually work for a while but I have to assume eventially something would break

I was barely able to get one method of 2FA to work, now that lower hanging fruit has been picked. I was barely able to get ONE method (GNOME authenticator) to work,I do not have hardware token devices and I do not allow any website to know my phone number as I intend to keep ownership of that phone deniable. I have my recovery codes backed up to multiple places, so danger of being accidently locked out is low. The account is simply not valuble enough to justify allowing proof of ownership of my phone, or having to shop online (which I do not do and which cannot be done with my privacy browsers) for specialized hardware not commonly found in stores. Not going to happen, and sure as hell not Google Voice after all the work I've done to lock out Google.

Having to walk away from github entirely would make my wayland work on MATE much harder unless one of the other team members wanted to pull from a fork on Gitlab, or if gitlab goes that way too, patches from archive.org. I cannot migrate the project, only fork repos from it. With no landline I cannot host a repo locally either. Best option if I get advance warning of such a thing might be to ensure I have a fork of every repo under my own username and keep them current from the command line. I would be able to push branches but not create PR's, so it might be less disruptive to keep this on my own repos unless otherwise instructed.

At least someone getting locked out of their account doesn't pose a security risk to 3ed parties at all, so their should be no excuse for locking anyone out for lack of a second, backup 2FA method.

[aqwek]

Why does 2FA have to be manndatory? I use GitHub to host all of my open source stuff and I don't have a phone. I don't ever want one, either. This is stupid.

[lukefromdc]

My guess is Microsoft doesn't want to be held responsible for say, a hijacked account leading to malicious commits to something like the Linux kernel, OpenSSL, or cryptsetup.

[unfriendme]

Their house, their rules. (TT)