Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.
Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...
SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you're issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.
And this isn't just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn't trust.
Not if the org uses SMS auth as a recover method for your "lost" password
Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.
I generally don't let my team enter phone numbers into their account data.
But it should be the last resort. It makes sense why it's being phased out
Well we could be using passkeys right now if Big Tech weren't trying to tie them to their own platforms! 🤷
This, but my random, account-specific 20 char passwords are not online and available.
Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn't need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.
This is premium functionality, for those who don't know.
And I heard that if you self host you can use the premium features for free
I believe thats only true for the unofficial version (Vaultwarden - API compatible to any Bitwarden app)
Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.
But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.
Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file
I already use
pass("the unix password manager") and there's a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otpWorth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let's me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.
I just use my password manager to generate the TOTP. There's no way I'm going to install an app just to use a website.
Codeberg, or failing that, GitLab, or BitBucket. Allowing MS to control all FLOSS software, means they might probably secretly get consent to use your code for copilot training without respecting licences. I have no idea if this happens, or might in the future, as I ain't reading the terms of service for something I do not use, however, I have little trust for them enough for air on the side of caution.
I forgot about Codeberg - I'll look into that and Gitlab as alternatives. Thanks for the suggestions.
This hate for 2FA is bizarre to me. Sure, it's not as convenient but in this day and age, with all the threats out there, there's no real excuse for not using it.
Contributing to github is contributing to Microsoft's AI poison which can steal your code from you regardless of license for another project that might use an incompatible license. To hell with github.
