Open Source

28934 readers

370 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 4 years ago

MODERATORS

[email protected]

How is everyone handling the 2FA requirement for GitHub? (docs.github.com)

submitted 3 weeks ago* (last edited 3 weeks ago) by [email protected] to c/[email protected]

127 comments fedilink hide all child comments

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 69 points 3 weeks ago (3 children)

SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you're issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.

And this isn't just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn't trust.

[–] [email protected] 12 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias (SimpleLogin) for every single account! 😆

[–] [email protected] 5 points 3 weeks ago

same, a simple habit that is secure, I use it always with maximum privacy. One day you will be in a rush, under stress, affected by age, and use your old habits with a valuable asset...

[–] [email protected] 3 points 3 weeks ago (2 children)

SMS 2FA is still better than no 2FA.

[–] [email protected] 4 points 3 weeks ago* (last edited 3 weeks ago)

Not if the org uses SMS auth as a recover method for your "lost" password

Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.

I generally don't let my team enter phone numbers into their account data.

[–] [email protected] 3 points 3 weeks ago (2 children)

But it should be the last resort. It makes sense why it's being phased out

[–] [email protected] 2 points 3 weeks ago

Well we could be using passkeys right now if Big Tech weren't trying to tie them to their own platforms! 🤷

[–] [email protected] 2 points 3 weeks ago

Unfortunately many banks still require it and have no other methods available. I tried to reason with my bank about it but they just do not care.

[–] [email protected] 2 points 3 weeks ago

This, but my random, account-specific 20 char passwords are not online and available.