I appreciate that there's a response to the 'supply chain attack' issue, but this also seems like we're raising the bar further for participation. I'm still dubious as to whether a phone is required but even if it's not, this now puts a high bar for anyone who doesn't have a phone and creates all sorts of anonymity issues for people that do.
Git is decentralized. My feeling is we should be focusing on technologies that lean into that idea.
Inter-Planetary Version Control [0] looks to be a defunct project but hits the keywords that fit what I imagine to be a viable alternative. Does anyone know other alternatives?
Free services with 2FA are a recipe for problems. You will eventually have your phone stop working, you will lose your hardware fob, and you will lose your recovery codes that you forgot where you hid. There is no paid support, so you get what you pay for. Trying to get back into your account, if it's even possible, will take a long time and lots of work. If you are abroad and need access, you might be screwed. If it's not hard to get back into your account at that point, their security sucks.
I think we all need to consider the possibility of moving off of GitHub, or at least keeping a mirror of everything on another provider, and making sure any long-lived services that pull from GitHub know the other provider to use. You don't want an account lockout to mean you've lost all your work.
We need someone like Homakov again (https://arstechnica.com/information-technology/2012/03/hacke...) so people can access their own repositories without this bureaucratic nonsense.
If you have a strong password, is that really the biggest security threat? I highly doubt that. 2FA is used to get unique identifiers and data mine people.
It is a breach of confidence that large parts of the open source scene has trusted GitHub and now has to jump through new hoops practically every year.
> Today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.
That's atrociously low. I know it's caveat emptor when it comes to FOSS, particularly as the nominal price is usually $0, but that really needs to be bumped up for anyone that is publishing packages to a public registry.
I hope they both mandate it for NPM and publicly flog^Wflag any existing accounts as "2FA Not Enabled" so that users can use that information to make their own choices about which dependencies to include in their projects.
> At GitHub, we believe that our unique position as the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem.
The fact that GitHub assumes to be in this position is alarming. Combined with this enforcement which I do not appreciate, I’m reconsidering my investment and will actively start migrating off of GitHub.
OK, what's wrong with requiring a very strong password and not having any recovery option? If you lost/forgot your password, that's it, kiss your account goodbye. It puts the responsibility on the user, which is good imo.
I've never lost a password. And the only time I lost a somewhat important account (Google) was because of their automated recovery system. If I could select "disable account recovery" the account would've never been highjacked... OK maybe it would've in a few decades when the average PC could bruteforce a 128 bit password in a reasonable amount of time and Google disabled rate limiting for some reason.
A colleague lost their phone and send an email to GitHub asking for a password and 2FA reset. It was sent from his account email and it was succesful. I found it weird because it means someone got access to his email Github would provide access to their account.
Well, given that Github today doesn't seem to support meaningful 2FA (only TOTP and SMS), wouldn't it be good to fix that issue before starting to talk about requirements like these?
Maybe it's just my account, but I can't currently enroll my hardware token with Github in any way whatsoever.
Sure, they offer some 1.5FA, but why would I bother with that?
Wonderful news. Supply chain security is a disaster because developers won't opt into any kind of security features in the majority. Mandating 2FA is the obvious solution, and we'll all be radically safer for it.
Glad to see Github pushing this, I hope package repositories follow suit!
2FA has screwed me over in multiple instances over the years across different services.
Realizing one weekend away that I forgot to do a quiz for a uni course, trying to login to the course website on my phone and then remembering my hardware key is at home in my laptop.
Being forced to add a phone number to secure accounts I could not give less of a shit about but have to use for one reason or another, coming back months later to login, and realizing it's an old number and I'm locked out.
Emailing support in those cases and them just removing the phone number or changing it without any additional proof making the 2FA utterly useless.
Or emailing support and them asking me to send some drivers license or ID, then politely telling them to just delete my account because they never had that much info about me anyway.
2FA is a scourge. Just let me worry about my own security, if I care about your service, I won't make my password "asdfghjkl". In 99% of cases, that is fine and I have never had an issue.
Are there any downsides to security keys as 2FA? Are they using a single standard that shouldn't accidentally change or be deprecated for some reason? Is it possible to use them on mobile devices? Are there any risks they might break? Any issues with Linux support? Which particular security key would you recommend and why?
Let's just remind ourselves that we're not born with attached cellphones. These things get broken, lost, stolen, etc. Besides, some people do not own one. How will they solve the problem of folks getting locked out? And if anyone says there is a workaround for cases like this, then what problem is it solving?
How do I actually do this? I want to keep using ssh. I don't have and don't want a cellphone. I use FreeBSD. I can't find a simple explanation in the docs.
I wish they'd let me stay logged in longer. I use about 9 machines. On each machine I use 2-3 browsers. On some of those browsers I have several profiles. GitHub logs me out if I haven't used it in about 2 weeks. The result is I have to login with 2FA almost daily. it's super annoying
Wonder whether it's related to attack on Heroku.
PSA: you should ALWAYS download the recovery codes when you enable 2FA.
Reading a lot of "phone broken; locked out of account" comments here and I don't know whether they understand that local one-time only recovery codes should be downloaded and stored safely (maybe even printed and stored in a safe, I do not know). If you lose access to your 2FA device, use the "recovery code" option and use one of your recovery codes to unlock your account.
I feel like with the recent hackings done by Lapsus, it shows that 2FA can actually make it easier to break into a system. Since they first break into telecom companies, they can then sim swap and reset peoples passwords.
Well, it seems like a good time to start migrating away from GitHub. When they can't be bothered to remove malware accounts like the node-ipc dudebro, but then claim they need a phone number from me to keep logged in for "security" ... I'll just leave. It's been a good run, I've had the account over 10 years, but I recently discovered Gitea is API compatible with GitHub. I can just make that my drop in replacement. I can even allow federated login with Keycloak + Gitea OIDC for anyone on GitHub who wants to log in on it and collaborate.
Thanks for all the fish.
Can anyone ELI5?
It seems that I will requires either SMS, a mobile app, or USB dongle. I'm not happy about any of these options. I'm not going to give away my phone number, I don't have a smartphone (I have a Nexus from 2012 though), and I don't want to fork out on dongles.
Someone mentioned that keepassx being able to do it, but I'm a bit hazy on that.
I've registered for a gitlab account just now, and I'll be messing around with that for awhile to see if I like it. If it proves tolerable, I'll probably be yanking the plug on github.
Except it's not actually 2FA if all it takes is an ssh key to push. That's only one factor. Doesn't address the threat model of compromised developer machine.
The blog post only mentions Mobile Push and WebAuthN. Is Github deprecating TOTP 2FA?
I also can't believe how many people are complaining about requiring 2FA. I have 2FA enabled for every single service that gives you the option. Backup Codes live in my password manager, and I have multiple yubikeys that I enroll whenever it's an option. It's been 10 years since I started doing this, and I've never been locked out.
425% cost increase to enable SSO on Github. Just saying.
If this breaks my 'check in code automatically with ssh key authentication' workflow, I'll be shopping for another option.
That’s my cue … to exit GitHub … and Google mail as well
I don’t have a phone number (that I am willing to fork over) so there’s that.
Welcome me, GITLAB!
Don't they already offer a 2FA option now? Why not just let people use it who want to, and leave everyone else alone?
I am an adult. If I want to sacrifice some security in the name of convenience, I should have that option. All this is doing, is pissing me off, and giving me one more reason to move to another platform.
I wish my PGP key could be used as a root identity for my 2FA keys :/
I wonder what this will mean for the relatively easy onramp for kids through Micro:bit and other tools? Maybe kids aren't supposed to directly access GitHub?
They do not give a single argument to show why they need to require 2FA, the same way they did not provide an argument for removing git password login. The more they will annoy users the more it will create space for a new service to compete with Github. Thanks Microsoft.
The biggest problem with Github in my opinion, is that personal accounts are usually the same as the one we use in the company we work for. So we are mixing personal and professional security
Years ago when I setup a GitHub organization for our research collaborators, I initially mandates 2FA. But someone protested and brought up a point I’ve never considered—many of them needs to be on-site, like the Chile desert or South Pole, which has extreme environments. One collaborator briefed people going to Chile saying “if you love your device, don’t bring it to the site in Chile.” It is very high in altitude that can causes spinning HDD to fail. And the fine dust there getting into your device is no fun.
So the consequence is that that don’t bring their phone to the site. They would leave it somewhere else before going up to the site. Needless to say that this 2FA requirement is a huge pain to them. There’s no second device for them. And even if someone could have a hardware key, those can becomes broken due to the reason above, and they don’t want that single point of failure to cause them trouble.
So those people would basically try to defeat 2FA because of this. Eg our university requires 2FA to login to their network. They come up with a method to get the secret of the HOTP (from Duo, which is much less popular than TOTP that Eg Google use.)
I also made a suggestion for those people to use SMS for 2FA and use Google Voice for the phone no. Again, another way to make 2FA works on a single device.
P.S. needless to say on site they have servers and computers to collect data and analyze them. So they need to log in even if they don’t have a phone with them.
It's not 2 factor, it's ultimately 3rd party. I'll leave before I enable it.
I disagree with requiring it in general. As soon as you admin repos, sure.
Meanwhile Spotify and Hulu still dont provide it as an option...
Do they have an option for no SMS, just MFA?
By 2030 all websites will require 2FA, SSL Client Checks, Real ID Verified and a blood pin prick.
Get rid of the stupid requirement for SMS or TOTP.
Allow me to commit career suicide with my counter argument. My laptop random shuts off at least once a day (the screen goes freeze, then goes pink, it's an M1 mac if that helps). My phone's screen is mostly crunched glass shards, and when I charge it, the correct voltage doesn't go through. I think the problem is the outlets where I'm living?
Anyway, my own devices are the biggest risk in my threat model. Both my laptop (where I'd store the backup codes for GH MFA) and my phone (normal MFA authenticator app) turning into bricks is a WAY higher risk than someone stealing my Github password.
I'm not even a part of any orgs, no maintained packages (not on the account I use now, anyways). So I could store my backup codes on the cloud, but Google is getting fussier every day about 'lack of backup device' or whatever.
I could use a one time pad (and just memorize it), and store the encrypted backup codes on some kind of decentralized, permanent db. So a blockchain. But that costs money, and this is basically a venial irrelevant problem that I'm only complaining about to be a naysayer on this thread. So let's look for a free solution...
Well, what about... free anonymous blogging solutions! I can publish it to a bunch of these. I can use memorable usernames. Now, I just have to remember the platform(s, plural, cause one platform is still risky, could get the account banned or something by doing this, so I'll want to use all the big ones, reddit, twitter, and so on), the usernames (which will all be the same, to accommodate memorization lol), the 2fa backup code one time pad, and of course the password itself. But I could use the password as the one time pad to lighten the load. And the username could be really easily made memorable.
Yes! How easy is that? Okay, I'm going to try it out. If my approach is flawed, feel free to steal my GH account (as you can probably ascertain, it's a throwaway GH account, which is the only reason I'd be annoyed at having to 2FA for it).
I'll report back to this threat and leave a response to myself once I have this set up, in case anyone else is curious.
undefined
undefined
If for 2FA they mean a cellphone for the "offband" communication of a code, I am out.
Anyone that uses Github day to day at work and for side projects should have already enabled it.
When I think of what the "most important" account is to me, my Github page is pretty damn close to the top. Mine is currently 2FA with an automated script that will scan my Github and back everything up to GitLab (at least the "important" projects), which is also 2FA'd.
Insane setup to protect data in one account but if I loose access it would be beyond a bad day for me.