Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.
Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…
If you’re not already using 2fa everywhere you can, you’re already doing it wrong.
2FA is annoying and not necessary for most things.
All security is annoying. Oh well.
Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s
Even in my bank’s ATM there’s only one password, not 2FA. 2FA is 2 factor auth, there’s no 2FA in the ATMs.
It doesn’t mean the initial password isn’t a layer of authentication, but strictly speaking where I live all ATMs do not employ 2FA.
You only need a password for the ATM, not a card and a password, which are two factors?
The two factors at an ATM are possession of your bank card + knowledge of your pin. (it also takes your photo, for good measure)
GitHub will happily accept a smart card or whatever, if an extra plastic rectangle jives with you more than an OTP generator.
Card is your username duh. Some people are beyond saving.
“Something you have” is absolutely not equivalent to “something you know”
You are completely unable to enter this conversation, but you think you’re the smartest one in the room.
I bet you’re insufferable.
The card number is your username, a physical card is a separate factor.
2FA is for people who don’t know how to use randomized passwords for every site
It doesn’t matter how random or secure your password is, it can still be compromised.
2FA increases security and costs nothing in return.
Brilliant. Until that website’s unsalted pw database is downloaded through a SQL injection.
Use both. You’re not smarter than security professionals.
- Salt doesn’t matter if your password is unique.
- If they can download data via SQL injection having them log in probably doesn’t matter that much.
- If they can dump your password/hash they can likely also dump the TOTP secret.
- A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.
So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.
So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.
Called it
The day your machine is compromised is also the day ALL your passwords get stolen.
Codeberg, or failing that, GitLab, or BitBucket. Allowing MS to control all FLOSS software, means they might probably secretly get consent to use your code for copilot training without respecting licences. I have no idea if this happens, or might in the future, as I ain’t reading the terms of service for something I do not use, however, I have little trust for them enough for air on the side of caution.
I forgot about Codeberg - I’ll look into that and Gitlab as alternatives. Thanks for the suggestions.
I’m gonna keep putting all of my code on github, then. Doing my part to make copilot crash and burn.
Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.
But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.
Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other “valuable” open source projects. To pretend nothing of value is built there is putting your head in the sand.
If you’re developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.
SFC recommends to not use them, so that’s what I will keep (not) doing.
Not /s
It is long past the time to move on. We don’t like the ads, gamified/corporate-friendly social media aspects, & enshitification of the web (which is why we are an Lemmy not Reddit), so why would we want that same platform for our code?
Also Lemmy has every interest in moving as soon as ForgeFed is finalized & merged into a forge the can host since they want the same decentralized values for their forge as their forum/link aggregator platform and have publicly acknowledged it is a problem.
Your projects should follow that example, if not your current projects at least future ones. These megacorporation are not our friends.
I deleted my github account because fuck microsoft. Open source should not be hosted on their servers.
In regards to forced 2fa, as I don’t need it on my projects, there would be literally nothing lost if somebody gets into my account.
Just for the convenience I moved them to my selfhosted forgejo and mirroring to sr.ht as a backup.
last time I signed into my Microsoft 365 account for work I got two separate 2fa prompts and two captchas, it was like being in an episode of the crystal maze. the mere act of signing into something is now tedious and difficult
2FAS is open source and doesn’t have a cloud presence to store data. You can use it to add 2FA to your other services as well.
What’s wrong with using a Foss TOTP app?
Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn’t need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.
It’s fine. The added security is huge
The problem is when they want you to install their TOTP app in order to authenticate (I’m looking at you, steam… fuck off)
How’s that? I’ve had TOTP in my github account for over a year, on Aegis, and I have not seen them asking me to do anything else.
GitHub is not an offender right now, but I can easily imagine Microsoft forcing some MS OTP app in the future
Agreed. It would surprise nobody.
You can use it with a regular TOTP app, just like with Steam (but it requires some additional setup: https://help.ente.io/auth/migration-guides/steam/)
Exactly. At the end of the day there’s nothing being transmitted with OTP and using a standard app isn’t an issue.
I do agree but Steam’s app isn’t bad. It’s great if you use Steam’s social features and it makes secure login a total breeze.
It’s not that the app is good or bad. It’s that you are FORCED to use it when there is no technical reason for that requirement.
Let me reiterate: fuck valve
Sure, I don’t disagree, it shouldn’t be a requirement but because the app is good and makes the process easy, I don’t have a problem with it.
I think I’d still prefer to use a 3rd-Party TOTP app but at least Steam’s app adds some value by pushing a notification when you login.
You can use Steam with a regular third-party TOTP authenticator, here’s a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
Steam is okay in my book because steam was the OG 2FA provider. They forced 2FA on everyone, all the way back in 2007, they took security seriously before anyone else really cared. So, they’re grandfathered in.
I hate that. I think it’s lazy af.
You can use Steam with a regular third-party TOTP authenticator, here’s a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
Or like eBay
If you’re rooted, Aegis can import the seed from the Steam app then you don’t need it anymore.
Oh, that’s awesome!
But I don’t have root
You don’t need root. https://help.ente.io/auth/migration-guides/steam/
Thank you!!
You may be able to use an older version of the app that allowed ADB backups, and extract the seed from that.
Another approach is to extract it from the Steam desktop app.
No idea what companies think they’re accomplishing by using non-standard TOTP apps (that actually do TOTP under the hood). Microsoft do it so they can track your location and report it to managers when you login because it’s something that management asks for. Some companies do it so they can lock you into their services. No idea why Steam does it.
There’s an easier way: https://help.ente.io/auth/migration-guides/steam/
Thanks, I didn’t know about
steamguard-cli. And I was able to import the code into Aegis too (just had to set the type to “Steam” so it would generate 5-letter codes instead of normal TOTP)…
You don’t even need root. https://help.ente.io/auth/migration-guides/steam/
I just use Bitwarden’s 2FA functionality.
This is premium functionality, for those who don’t know.
And I heard that if you self host you can use the premium features for free
I believe thats only true for the unofficial version (Vaultwarden - API compatible to any Bitwarden app)
They have a free application too:
https://play.google.com/store/apps/details?id=com.bitwarden.authenticator
This app is actually free (as in freedom) and not merely gratis.
Can it export the seeds?
Worth the price for Bitwarden’s good practices imo, now if I could export all of my authy keys…
I know it’s possible, but Authy has made it a PITA… fuck authy.
I just use my password manager to generate the TOTP. There’s no way I’m going to install an app just to use a website.
I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don’t get all my private stuff.
Works great till somebody does a sim swap on you.
How? It’s physically at home.
Swapping the sim associated with your phone number – from your sim to their sim.
But how? It’s at my home and without physical access to it, its impossible to swap sim card. It’s always at my home. Nobody can can transmit my phone number to their sim card without my knowledge and permission.
As in “Hi PhoneCompany, I’d like a mobile plan with you. Yes, I’d like to bring my old phone number over to the new account.”
Or “Hi PhoneCompanySupport, I’m @thingsiplay and i lost my sim, plz send me a new one. BTW my new address is …”
Ideally it shouldn’t happen, but phone company security is pretty slack sometimes,
That’s a big far fetched from reality, just to build an anti argument. I don’t know where you live, but in Germany this cannot happen. You can’t just order a sim to any address and use the phone number of you wish. You have to provide with 100% certainty that you are the owner of the sim card, as every new registered card/number has to provide your goverment id and your personal signature. Also taking old phone number to new account can only happen, if you provide proof you owned it in the first place.
If you know any case (here in Germany) someone could steal the phone number like you just described, please provide a link. This would be a huge security issue that should not be possible to happen. Nobody in the world can do that to my phone number and I think you just fabricate something that is not possible in Germany.
Ah, that’s good then.
In Australia you really only need a name and date of birth and ID such as a passport or driving license number of the owner. No physical or even photographic proof. Some phone companies send the original sim a notification before moving it, but no response is required and moving the number often only takes 10~30mins.
Banks in Australia commonly use sms codes as 2fa.
A large percentage (20~30%?) of adult Australians have had their ID details leaked in recent years because there are no adequately enforced security requirements or data-retention limits. One of the largest breaches was the second largest mobile phone provider…
That’s exactly what I’m planning to do, a phone that forwards all sms messages through ntfy (or other service like signal) to me.
On android you can use https://f-droid.org/en/packages/org.projectmaxs.module.smsnotify/ - forwards incoming sms to XMPP
Thanks but I’ll be running postmarketOS and make sms forwarder myself.
Interesting software. Never heard about this. This is not really for me as I don’t do SMS authentification or SMS in general or use that phone at all, other then authenticate myself from time to time. I wonder how this differs from software like KDEConnect in its practically (not in the technical implementation differences).
iCloud Keychain. Has the ability to store 2FA codes and pull them up automatically. GitHub also supports passkeys so most times I just log in with my biometrics or user pass and don’t have to worry about the added layer.
I’m fine with regular 2FA. What I can’t abide is having to use proprietary apps, like Blizzard’s battle net. Steam too.
Passkeys are the future but still a ways off.
Wild tho that you don’t have any other accounts needing 2FA? That’s scary to me as that added security goes a long ass way in regards to hardening your secuity.
pass otp. Works, more secure then SMS, open source.
Contributing to github is contributing to Microsoft’s AI poison which can steal your code from you regardless of license for another project that might use an incompatible license. To hell with github.
