this post was submitted on 05 Jun 2024
50 points (79.1% liked)

Open Source

28952 readers
397 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 4 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
50
How is everyone handling the 2FA requirement for GitHub? (docs.github.com)
submitted 4 weeks ago* (last edited 4 weeks ago) by [email protected] to c/[email protected]
127 comments fedilink hide all child comments
 

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 4 weeks ago (7 children)

I don’t love the idea of having an authenticator app installed on my phone

For anything? Why not? Surely you don't believe SMS-based TOTP is safer, right?

[–] [email protected] 2 points 3 weeks ago (6 children)

Wut. TOTP doesn't involve sending an OTP. That's the point.

"SMS-based TOTP" is a nonsensical phrase

[–] [email protected] 3 points 3 weeks ago (1 children)

"Time-based One-Time Password" literally says nothing about the delivery method. Who said it can't involve remote sending?

And what would you call it, then, SOTP?

Anyway, regardless of the terminology-nitpicking, my point still stands.

[–] [email protected] 2 points 3 weeks ago (1 children)

The point of being time based is to not send it. That's the whole point. To avoid that vecotor of attack.

[–] [email protected] 2 points 3 weeks ago (1 children)

Do you think the SMS codes are not time-based on the companies' ends? How are they deriving the digits, then?

[–] [email protected] 2 points 3 weeks ago (1 children)

They are not time based, correct.

[–] [email protected] 2 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Interesting, I didn't know that. So how do they derive the digits?

[–] [email protected] 2 points 3 weeks ago* (last edited 3 weeks ago)

Best practice for a cryptographic nonce is to generate them randomly every time

load more comments (4 replies)
load more comments (4 replies)