GitHub Starts Mandatory 2FA Rollout Early for Some Users

By the end of 2023, GitHub will require all code contributors to enable two-factor authentication — part of "a platform-wide effort to secure software development by improving account security."

But on Monday they'll start rolling it out, according to a new blog post, reaching out to "smaller" groups of developers and administrators "to notify them of their 2FA enrollment requirement." If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You'll have 45 days to configure 2FA on your account — before that date nothing will change about using GitHub except for the reminders. We'll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com.

You'll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don't worry: this snooze period only starts once you've signed in after the deadline, so if you're on vacation or out of office, you'll still get that one week period to set up 2FA when you're back at your desk....

Twenty-eight (28) days after you enable 2FA, you'll be asked to perform a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors during onboarding.
GitHub's blog post says their gradual rollout plan "will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses." InfoWorld summarizes the options: Users can choose between 2FA methods such as TOTP (Time-based One-Time Password), SMS (Short Message Service), security keys, or GitHub Mobile as a preferred 2FA method. GitHub advises using security keys and TOTPs wherever possible; SMS does not provide the same level of protection and is no longer recommended under NIST 800-63B, the company said.
Internally GitHub is also testing passkeys, according to their blog post. "Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain."

I can't believe people _aren't_ using 2FA

[sirket]

Seriously, what possible reason is there _not_ to use 2FA on Github FFS?

Github does not require you to use SMS for 2FA- you can use TOTP (e.g. Authy) or HOTP (e.g. Yubikey). So you get much better security, and no loss of anonymity.

It's extra security, and with a FIDO device it requires no more effort than touching the key occasionally.

Re:

[mobby_6kl]

Seriously, what possible reason is there _not_ to use 2FA on Github FFS?

It's annoying and i don't care about my fart app source code enough to put up with it.

Re:

[sirket]

You find having to touch a Yubikey once every few months annoying?

Just how fucking lazy are you?

Re:

[DarkRookie2]

What the point of the device if its only once every few month then? The attacker would just be able to attack in that wide of a time frame.

Re:

[StormReaver]

It's incredibly annoying and overly complicated, it locks you into a service (or services) that can (at their discretion) lock you out of all sites that require it (by refusing to validate you for whatever reason), frequently requires a hardware token that requires a subscription, and provides only the illusion of security, and is just as susceptible to phishing attacks and man-in-the-middle attacks are regular ole passwords, and is now an extra moving part that can break down at any time and for any reason

Re:

[vadim_t]

What? No.

I've never seen such a service that requires a subscription, nor any kind of centralized service that can compromise all your secrets. My Github secret is held by Github, and my AWS secret is held by Amazon. If one becomes compromised, nothing happens to the other. It's a simple algorithm that barely takes any work to implement and doesn't need delegating to some third party vendor.

2FA secrets are not easily phished, because it's actually hard for a normal person to get it. It's generally held by a

Re:

[WaffleMonster]

2FA secrets are not easily phished, because it's actually hard for a normal person to get it.

The problem is when you log into glthub.com and enter your one time password your account has just been compromised.

All the apps give you is the computed result, which is only valid for a short timeframe.

Most burglaries only last a few minutes.

Re:

[vadim_t]

Okay? If your github account gets compromised, then it does, but that doesn't affect anything else.

Re:

[sirket]

Parent is a moron who confused 2FA with either SSO or Password Managers.

Seriously- go back and re-read their post but replace TOTP with SSO or Password Manager and suddenly what they're saying at least makes some sense.

They're still flat-out wrong though.

Re:

[thegarbz]

it locks you into a service (or services) that can (at their discretion) lock you out of all sites that require it (by refusing to validate you for whatever reason)

The ol' "What if these people actively decide to destroy the very purpose of their service!" excuse. At that point the risk is right up there with "But what if Github just decides to delete its entire service."

Have you risk assessed the option of you being hit by an asteroid? Or your cat actually being a Russian agent waiting for remote instructions to eat your 2FA key? What if there are actually aliens living under ground and at any moment they can come and steal our phones?

Your post is the worst kind of w

Re:

[serviscope_minor]

it locks you into a service (or services)

WTF no it doesn't.

frequently requires a hardware token that requires a subscription,

WTF no it doesn't. Github supports TOTP which is an open SOFTWARE standard where you can use a variety of TOTP apps, your own code, or a variety of both closed and open hardware devices. Or you can use U2F keys, also an open standard not dependent on any particular manufacturer or subscription.

TOTP, for example, creates a centralized database that can be hacked to get everyone's sing

Re:

[AmiMoJo]

It's kind of incredible that people believe this in 2023.

TOTP doesn't rely on a "centralized database". Every website gets a different code, that only works on that one website.

Using U2F with a security key is best, because it uses public key crypto. Even if the website is hacked, all they get is a useless public key. It's useless because the browser passes the domain of the website requesting authentication to the key, and it becomes part of the challenge. If someone steals the database and sets up a fake

Re:

[WaffleMonster]

Seriously, what possible reason is there _not_ to use 2FA on Github FFS?

The problem with 2FA as popularly deployed lies in two general buckets.

1. Many popular 2FA methods offer zero resistance to authenticator impersonation rendering them useless against the single largest security threat.

2. Multiple factors on Internet sites are rarely deployed as independent requirements when automated recovery procedures are included in the threat model. When a physical factor can be used to bypass a knowledge factor and vice-versa it stops being about 'A and B' and is functionally closer t

Re:I can't believe people _aren't_ using 2FA

[sirket]

How the hell does using TOTP or something like a Yubikey make you less anonymous?

Go ahead and explain how you think that works.

TOTP uses a seed value plus the current time which are run through a hash to generate a unique code. There is nothing about that that could be used to trace it back to an individual.

Re:

[vadim_t]

No, TOTP doesn't require an email address. These days what happens is the website shows you a QR code which contains the required information. You just scan it with an app like Google Authenticator. It runs on a phone but technically it's just a piece of software -- there's even commandline implementations.

Re:

[sirket]

> TOTP requires an email adress of phonenumber to send the onetime key to, right?

For fuck's sake no it fucking does not. JFC does anyone in this god damned thread bother to do the slightest bit of research before making stupid comments?

> And a yubikey is unique, so unless you have one for every single place you need 2FA it connects all those places together deanonymizing you.

Thank you for proving you don't know a god damned thing about how either TOTP or HOTP work.

No, you cannot trace someone with a f

Phoneless under a bridge

[kackle]

This nerd infrequently writes to GitHub and doesn't have a cellphone. Will it provide these temporary 2FA codes via email?

Re:Phoneless under a bridge

[dskoll]

You don't actually need a cell phone to get TOTP to work. Sure, it's most convenient to use a mobile device like a cell phone or tablet, but with a little bit of work you can get TOTP running on a laptop or PC. This obviously reduces security because now your TOTP secret is on the same device you're using to access GitHub, but it's a workable solution. Just keep your TOTP secrets in an encrypted volume.

Re:

[sirket]

FFS- you can use TOTP codes via Authy running on the same system you are using to access GitHub in the first place, or you could use a password manager like 1Password that has built-in TOTP support, or you could use an HOTP FIDO token like a Yubikey.

How the fuck do you contribute anything useful on Github without knowing anything about 2FA FFS?

2FA TOTP apps

[Meneth]

Recommendations from Wikipedia [wikipedia.org]: WinAuth [github.io], Authenticator [gnome.org] or KeeWeb [keeweb.info].

2FA! Our password issues are your problem.

[DarkRookie2]

To me, it always seems like businesses are pushing the burden of security onto the users so they don't have to pay for it.
They either use something insecure like SMS, forces you into buying multiple overpriced security dongles, or forces you to trust a device meant for podcasts and shower porn.

Do the three rules no longer apply?

[jacks smirking reven]

I was always taught that these are the foundations of authentication; something you know, something you have, something you are.

I always understood 2FA accomplishes the second which makes it a pretty easy win for security for a majority of people. If anonymity is so extremely crucial that even a hardware Yubiley is a high risk then maybe the internet isn't for you?

Seeing so much pushback to 2FA here what are the alternatives? It sure feels like a world with only passwords no matter how strong just isn't cutting it anymore so we need something and for every flaw with 2FA I can see applying doubly to biometrics.

Honest question, if 2FA is so risky what do we do to protect not just us tech geeks but the rest of the public that's as easy to grasp and in my.opinion effective at stopping account hijacks as 2FA without rewiring our entire infrastructure?

Re:

[vadim_t]

Pay no attention to the pushback here. Slashdot mostly seems to have people whose knowledge fossilized somewhere around the 90s, and since then have never learned anything new. I can't think of any other way to explain the amount of comments that display a complete lack of technical knowledge about how 2FA works.

The vast majority of people will comply with the new way of doing things because they have no other obvious option, the techies that actually kept with the times understand why it's a good idea, and

Re:

[DarkRookie2]

Pay no attention to the pushback here. Slashdot mostly seems to have people whose knowledge fossilized somewhere around the 90s, and since then have never learned anything new

I have concerns that yet to be answered. All I am ever told is to take it in the ass and accept it.
Maybe you can help.
Why does everyone want everyone to use security keys. Those things are expensive and you are required two of them. Then you waste 2 USB ports using them. Then what do you do when you plug it in? Are you good to go? Or do you have to get up each time and every time you want to log into something? Or is it a spot check every so often. "STOP CITIZEN. PROVE YOUR VALUE OR ITS RAPE IN THE ASS PR

Re:

[drinkypoo]

Something you are is good security for proving you are who you are... if it can't be faked or duplicated. Since you can't change it, if it can be, then it's potentially dangerous.

FreeOTP+ and oathtool

[kbahey]

Some web sites and services insist on using mobile phone and SMS for two factor authentication.

This is really a bad idea. SIM swapping does happen, and you lose your authentication device if that happens.

On the other hand, Time Based One Time Passwords (TOTP) do not need to be tied to your mobile phone number.

If you prefer the command line, install the package oathtool, and you are good.

If you want an authenticator app on your phone, then use FreeOTP+.

Better yet, put the hash in both of these and you have a

all it does

[groobly]

All 2fa accomplishes is that sooner or later, you will be locked out of your account with no way to get back in.

Re:

[DarkRookie2]

I 2nd this.
2FA has never prevented anyone from accessing my account and is preventing me from access something currently.
MediaFire can truly go fuck themselves.

Re:

[Beryllium Sphere(tm)]

Recovery codes work. I've used them.

Re:

[DarkRookie2]

What is the point of having a special 2FA when you can just make a 2nd password then.

completely unncessary

[OrangeTide]

sign your commits noobs.

Re:

[tepples]

Use TOTP instead of an SMS number.

My beef is more with services that don't let you use TOTP instead of an SMS number, such as OpenAI.

Re:

[AmiMoJo]

OpenAL deliberately requires a phone number to prevent abuse. Phone numbers aren't free, and even though they are very cheap, that is enough to stop people creating large numbers of accounts to e.g. circumvent API limits.

For services like social media it also helps keep people who are banned from simply making a new account.

I don't like it either, but I can understand why they do it. Occasionally I buy a pre-activated SIM card from eBay and create a few accounts. They last for a few months and then die, cos

Re:

[tepples]

My second beef with services such as OpenAI and Twitter is not allowing voice-only numbers.

I have checking accounts at a bank and a credit union. When I sign in from an "unrecognized" computer, such as after upgrading to a new major version of a web browser, both of them give me the option of receiving the synchronizer code through a voice call or a text message. When I had an unlimited voice-only line of service and a pay-as-you-go mobile line of service, being able to receive 2FA calls on my voice line sa

Re:

[La Gris]

Problem solved with a couple FIDO2 WebAuth compat keys https://fidoalliance.org/fido2... [fidoalliance.org]

It works nicely with GitHub and many other services.

USB Plugs to desktops, laptops, wirelessly communicate with smartphone devices.

Re:

[WaffleMonster]

Problem solved with a couple FIDO2 WebAuth compat keys https://fidoalliance.org/fido2 [fidoalliance.org]...

The problem was solved decades ago with client certs.

USB Plugs to desktops, laptops

Sane organizations managing secure systems have enough sense to control the use of USB for obvious reasons. Yet here we are requiring USB ports being used to facilitate authentication. How many seconds does it take for the wrong USB stick to covertly install a reverse shell?

Re:

[WaffleMonster]

1. Prior to TLS 1.3, client certificates were sent in the clear. Anyone watching the TLS handshake could know exactly who was using a site.

There is no requirements for client certs to contain any identifiable information and TLS 1.3 has been widely deployed for a number of years.

2. Client certificates can easily be stolen by malware on OSs that provide no isolation between user apps. If the browser running under a user's account can access the client certificate, so can malware.

Client certificates can be stored anywhere. In OS keychain, hardware security modules, or on externally on smart cards. People get to pick and choose based on their security needs.

Comparable solutions such as a smart card is no better or worse than a USB key because both are performing the same operations on the same internally guarded secrets.

TOTP/HOTP/WebAuthn have always happened after the TLS session was established, preventing this eavesdropping.

This is the problem wit

Re:

[DarkRookie2]

USB Plugs to desktops, laptops, wirelessly communicate with smartphone devices.

That burns the 2 of the 4 USB ports on my laptop and when has wireless ever been all the secure?

Re:

[La Gris]

That burns the 2 of the 4 USB ports on my laptop and when has wireless ever been all the secure?

I am not sure I can figure how/why this feature attracts so many adverse reactions especially from persons that appears not being directly involved or not using any of those TOTP application or FIDO2 devices.

1rst, I'd reply to you that having 2 FIDO keys is not meant to use both at once. Only one is used to authenticate at a given moment. The other one goes into a safe in case the first one is lost. Like with plain mechanical keys.

The wireless features is NFC and it requires mostly direct contact of the key

Re:

[sirket]

I cannot believe I have to share the Internet with people like you.

No it's not about "forcing FIDO mindshare"- you can also use TOTP and that is supported by countless applications, from Google Authenticator, to Authy, to 1Password, and god knows how many others.

Re:

[TechyImmigrant]

I cannot believe I have to share the Internet with people like you.

No it's not about "forcing FIDO mindshare"- you can also use TOTP and that is supported by countless applications, from Google Authenticator, to Authy, to 1Password, and god knows how many others.

Indeed. FIDO is about making authentication work across different devices. I had a small role in developing the FIDO specs. "Forcing FIDO mindshare" was not something they were striving for.

Re:

[Mononymous]

FIDO is about making authentication work across different devices.

Authentication already works across different devices. Whichever device I'm using, I can enter my password.
I'm really bothered by schemes that require me to store a second secret somewhere besides my brain.
Some of them are stealable, and the rest are losable.

Re:

[DarkRookie2]

"Forcing FIDO mindshare" was not something they were striving for.

But forcing people into using expensive token or to trust people who shouldn't be is?

Re:

[sirket]

> Or are you just invertrebately intolerant of everyone who isn't exactly like you?

I'm intolerant of conspiracy theory spouting morons.

Re:

[WaffleMonster]

I'm intolerant of conspiracy theory spouting morons.

I wish people would find it in their hearts to respect others. As the saying goes it is possible to disagree without being disagreeable. Ad hominem serves no constructive purpose.

Re:

[sirket]

I don't respect conspiracy theory nonsense. I don't respect antivaxxers. I don't respect flat Earthers. I don't respect people who believe in QAnon.

Re:F off github

[sirket]

What a stupid, ignorant comment.

Github has supported TOTP (e.g. Google Authenticator or Authy) and HOTP (e.g. Yubikey) for years- neither of which requires your phone number.

Seriously- do any of you people actually fucking use Github? JFC.

Re:

[Carewolf]

I use if for opensource software. I have no need for 2FA, it just makes things less practical and the platform incredibly silly.

Re:

[sirket]

> I use if for opensource software.

What the fuck does that have to do with anything?

> I have no need for 2FA, it just makes things less practical and the platform incredibly silly.

If you believe that then you are a fool.

And how is entering a code to authenticate a new browser, or re-authenticating once every few months "impractical"? Are you just so incredibly lazy that that's too much work for you?

Re:

[jobslave]

They are not asking for your phone number. I'm using a yubikey, simple and secure, could also use google authenticator or any number other other similar apps. But then again, you, along with apparently so many other self proclaimed "geeks" here on /. don't seem to understand how this really simple technology works either. Your password, regardless of your boasted size and complexity, is still not as secure as the same password with ANY method of 2FA, even SMS.

Re:From the Dept Noone Asked For

[sirket]

Who upvotes this shit?

No, security was not "fine" pre-2FA and what the fuck does 2FA have to do with tying identities to actual ones?

Use TOTP (Authy, Google Authenticator) or HOTP (Yubikey, other FIDO devices), both of which GitHub supports, and you are every bit as anonymous as you were with just a username and password but a whole lot more secure.

Re:

[kaoshin]

Who upvotes this shit? No, security was not "fine" pre-2FA and what the fuck does 2FA have to do with tying identities to actual ones? Use TOTP (Authy, Google Authenticator) or HOTP (Yubikey, other FIDO devices), both of which GitHub supports, and you are every bit as anonymous as you were with just a username and password but a whole lot more secure.

It was probably upvoted by people who assumed SMS or E-mail based 2FA would be required, which as you correctly state is not the case. People jumping to conspiracy theories about Microsoft? On Slashdot? Say it isn't so...

Re:

[Carewolf]

2FA based on phonenumber, require phonenumbers, which is an ID that can be shared with other data collectors and deanonymize the data.

Re:

[thegarbz]

Yep, neither of which is required for Github. But I'll leave it up to you, is the appropriate modding for the OP: -1 Troll, or -1 Offtopic?

Re:

[serviscope_minor]

That's like saying accounts are a privacy problem because you might register with your real name. How about not doing that?

Re:

[DarkRookie2]

That is easy enough to do. DarkRookie2 is my real name. I have several of them.

Re:

[caseih]

I've been using computers (and slashdot) a very long time, and while I understand the security that 2FA can bring, and the problems with passwords, I also recognize the increase in complexity that comes with it, along with the huge potential pitfall of locking yourself out of everything.

Just recently a podcast host on Coder Radio related his 2FA near horror story where a device died suddenly, just about locking him out of *everything* (see episode 491, about 25 minutes in). And he's someone who's religious

Re:

[caseih]

Did you even read any of what I wrote? The recovery codes are only good for so many times. Once they are used up, you're done. No way back in. Phones fail. Most entities have absolutely no way to talk to anyone to reset anything. That's a huge risk in my book. At least with my bank on my corporate accounts if I lose or break the RSA keyfob I can talk to a real person who knows me and get a new RSA key authorized. Can't do that easily with the 2FA apps and the web services they protect.

Plus you never

Re:

[sirket]

> I (who were NOT using a short easily guessable password) am NOT a single solitary bit more secure with google's and github's TOTP shenanigans.

If that's the only thing you think 2FA protects you from then you are not smart enough to be commenting in this thread. Go sit in the corner and be quiet.

> which, since they require a javascript-enabled browser

What in the fuck are you talking about? JFC you truly have no fucking idea how 2FA works do you?

Why don't you do everyone a favor and shut up before you

Re:

[sirket]

You just fucking claimed that TOTP requires a javascript enabled browser and that's a load of horseshit.

And you also think the only thing that TOTP protects you from is easily guessed passwords.

So yeah, you don't fucking know how TOTP works and no one actually believes you wrote a browser extension that implements a TOTP client.

Re:

[Mononymous]

Obviously, TOTP can be implemented in whatever language. No argument there.

Sure, it also protects from stolen passwords. But I would assume GitHub stores only salted hashes.
Would you care to to explain what other possible benefit you have in mind?

Re:

[Dusanyu]

I honestly find it annoying, My university recently decided that email and University provided MS Office Accounts needs to have 2FA using Microsoft authenticator to make things worse the authentication randomly times out. And if you are a person decides to do the polite and proper thing and not carry a phone to class you can find yourself locked out of your email or one note.

Possibly an insurance requirement

[cruff]

TFA was rolled out at work even when on the corporate network due to cyber security insurance requirements.

Re:

[Ol Olsoc]

I honestly find it annoying, My university recently decided that email and University provided MS Office Accounts needs to have 2FA using Microsoft authenticator to make things worse the authentication randomly times out. And if you are a person decides to do the polite and proper thing and not carry a phone to class you can find yourself locked out of your email or one note.

Annoying AF. There is a weird assumption that people have their phones surgically attached. I have "quiet hours" regarding my little tracking device. After being forced onyo The crappy MS web product, I just forward my email to another email account.

Now I only put up with it when I have to go into it to clear things out every so often.

Re:

[sirket]

Why the fuck would you be on your computer on Github without your phone somewhere in the same general vicinity?

Regardless- you don't have to use your phone- you can use Authy on your desktop, or you can use a HOTP FIDO token like a Yubikey.

Hell you can use 1Password and keep the 2FA TOTP code there.

It seriously feels like half the people in this thread don't know what 2FA is, or how it works on Github, but for some reason feel that they need to comment on it anyway.

Re:

[coats]

Why the fuck would you be on your computer on Github without your phone somewhere in the same general vicinity?

For some of us, the "flyspeck-3" fonts used by smart-phones make them un-usable. This is a Federal-law matter (the Americans with Disabilities Act); note further that statutory damages for ADA violations start at $15,000 per offense... are you volunteering to pay that?

Re:

[Chris Mattern]

Okay, now I'm confused. How does the ADA require the use of unreadably small fonts on smartphones? It seems to me like it would in fact require the reverse.

Re:

[coats]

Requiring the use of a smart-phone is an ADA violation. And (for the next poster) when you look at GitHub's "authentication methods" documentation, devices such as YubiKeys are not listed...

Re:

[vadim_t]

Yubikeys are supported just fine. That's what I use.

Also, TOTP doesn't intrinsically require a smartphone. Phones are just commonly used to run the applications that implement it.

Re:

[sirket]

What in the ever-loving fuck are you even talking about?

You can run whatever font you want on Android and nobody is going to fine you for that.

And you can use a FIDO token like a Yubikey like I already said.

You're literally just making excuses at this point.

Re:

[sirket]

Your flip phone isn't a smart phone which is what parent specifically said- so why on Earth would you bring it up? Are you trolling? Or just an idiot?

Regardless- use a damned FIDO token then.

Re:

[DarkRookie2]

The flip phone is hell of a lot smarter than Android is prolly.
Sounds like it already has a better game library.

Re:

[Dr_Terminus]

Hur dur, what button do I press on my telegraph to get this snake game? And what is a WAP page viewer?

Re:

[DarkRookie2]

It seriously feels like half the people in this thread don't know what 2FA is, or how it works on Github, but for some reason feel that they need to comment on it anyway.

No, we are trying to understand why it is needed and why is comes with so many issues with using it.

Re:

[sirket]

If you don't understand what 2FA gets you, then what are you even doing on Github in the first place? Because I hate to break it to you- but 2FA is not a difficult concept to understand, nor is it difficult to understand the problems it solves. If your workstation gets compromised and someone installs a keylogger, or you accidentally reuse a password and a site is compromised, or any one of a dozen other possibilities- 2FA protects you.

And the rest of your comment is complete bullshit. There are no issues u

Re:

[DarkRookie2]

If you don't understand what 2FA gets you, then what are you even doing on Github in the first place? Because I hate to break it to you- but 2FA is not a difficult concept to understand, nor is it difficult to understand the problems it solves. If your workstation gets compromised and someone installs a keylogger, or you accidentally reuse a password and a site is compromised, or any one of a dozen other possibilities- 2FA protects you.

How so? By using a code sent to email or text that has been proven to be insecure and primary sent to an insecure device? A hardware key which are expensive, require you to have multiple, that is not widely supported, and nothing but horror stories when lost? Or an app made by an untrustworthy company that can at any moment get into a pissing match with Google and I will be shit out luck.

Re:

[DarkRookie2]

1. Because my phone makes lights and noise that I don't want to here.
2. Authy is untrustworthy. Just downloaded the Windows Authy app. Get a nice prompt BEGGING for a phone number. How is that secure
3. 1Password is untrustworthy. Same issue above as Authy.

Re:

[sirket]

> 1. Because my phone makes lights and noise that I don't want to here.

Then use a hardware token like a Yubikey you twat.

> 2. Authy is untrustworthy. Just downloaded the Windows Authy app. Get a nice prompt BEGGING for a phone number. How is that secure

The phone number is to allow you to recover the account if you want- you do not need to provide it and there are plenty of open source TOTP implementations you could use if you weren't too lazy to spend 5 seconds looking.

> 3. 1Password is untrustwor

Re:

[Ol Olsoc]

but apparently you would rather spend that time writing inane comments on Slashdot in an attempt to refute non-existent complaints?

Temper tantrum child is a genious who walks among us mere mortals, yet has no idea or concept that his accusations are a confession.

Look angry person, you really need to understand that you have left the world where we view you as anything but entertainment for us. So be it, you are our new punchinello.

You seem to think that everyone around you is a rank dullard, and that your profanity and accusations of our stupidity are somehow helping your inferiors.

Honey - I have bad news for you - you write l

Re:

[DarkRookie2]

> 1. Because my phone makes lights and noise that I don't want to here. Then use a hardware token like a Yubikey you twat.

Too exspenive.

> 2. Authy is untrustworthy. Just downloaded the Windows Authy app. Get a nice prompt BEGGING for a phone number. How is that secure The phone number is to allow you to recover the account if you want- you do not need to provide it and there are plenty of open source TOTP implementations you could use if you weren't too lazy to spend 5 seconds looking.

Cool, so someone else can recover my account.

> 3. 1Password is untrustworthy. Same issue above as Authy. Then fucking use Bitwarden, or Keepass, or any of the countless open source alternatives. Seriously- how lazy are you? 5 seconds of searching would have given you a list of open source options but apparently you would rather spend that time writing inane comments on Slashdot in an attempt to refute non-existent complaints?

Still a fucking pain in the ass to setup and use.

Re: From the Dept Noone Asked For

[Malays2 bowman]

"1. Because my phone makes lights and noise that I don't want to here."

  I always keep my phone on vibrate, and if I really don't want to be bothered I turn the ringer off completely. And the phone stays on the desk face down.

Takes care of the "lights and noise" problem.

Re:

[DarkRookie2]

So does putting it on the alarm clock in the room.
I don't want to be tethered to my phone thank you very much.

Re:

[Ol Olsoc]

Why the fuck would you be on your computer on Github without your phone somewhere in the same general vicinity?

Relax, or at least don't type like you are one step away from going all caps.

You might be surprised, but the telephone is as much an annoyance as the gift of the Gods to mere mortals. Of course, there are a lot of people who have panic attacks if they aren't with the distractions. I recall students who refused to give up their smartphones at our auditorium for classes. Flunking was a better option.I was driving a car to some location work when a student intern went into a full panic attack because , wait

Re:

[sirket]

> You might be surprised, but the telephone is as much an annoyance as the gift of the Gods to mere mortals

Then don't use a fucking phone. You can use an app on your computer, or a tablet, or a hardware key like a Yubikey.

> I know there are different methods to authenticate - however the option I had used nothing but the phone. So you apparently jump to a conclusion that they had all of those alternatives - they had only the phone, like you don't know the situation, but for some reason felt the need t

Re:

[Ol Olsoc]

> You might be surprised, but the telephone is as much an annoyance as the gift of the Gods to mere mortals

Then don't use a fucking phone. You can use an app on your computer, or a tablet, or a hardware key like a Yubikey.

> I know there are different methods to authenticate - however the option I had used nothing but the phone. So you apparently jump to a conclusion that they had all of those alternatives - they had only the phone, like you don't know the situation, but for some reason felt the need to comment on it anyway.

We're talking about Github here you twat, and Github supports all of the methods I fucking suggested.

Seriously, are you illiterate?

You are exactly like everyone else in this thread making incredibly stupid comments that aren't even remotely relevant to the discussion at hand.

No, temper tantrum laddie You're doing some malicious projection there, and you despite thinking so, you do not control the conversation.

You don't control the conversation, and truthfully, you sound like a crazy guy cursing at people on a street corner.

We are not constrained to talking about Github temper tantrum laddie. And you don't control the conversation.

You are not allowed to squelce others just because they relate some issues with 2FA. And no amount of cursing ore malicious projection abou

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ewibble]

Easy I leave my phone at home, or someplace. Unlike my daughter who has a panic attack when she goes into a place without data access for 5 minutes, I am quite happy to be without my phone, I do not monitor it constantly and can quite easily go for a week without looking at until finally someone reminds me that they can't contact me (bliss), then I eventually get round to charging it, no rush.

Don't assume everyone has the same addictions as you do.

Re:

[DarkRookie2]

Expensive and insecure.
Next!

Re:

[Ol Olsoc]

Stop whining. Use a yubikey or email for your TFA. Also stop whining.

So how do I use a yubikey or email for a system that uses only 1 TFA? A smartphone. That's it. It's what is used, and I only use it to clean out my mailbox every so often. My daily driver solution is to forward all the mail to a different email account.

For you see, there are maybe 40 thousand people on this system. Many people only have a smartphone. And many/most are marginally capable of using the phone by itself. And now they will have to carry around a Yubikey dongle to attach to their smartphone,,

Re:

[TechyImmigrant]

Microsoft authenticator is very broken when you have a work account that Microsoft demands you log into to 2FA your personal accounts.

On personal PC...
Web site : "Please log into MS Authenticator and authenticate this thing"
MS Authenticator: "Please log in with your work credentials"
MS Authenticator : "I see you used your work credentials like I asked you to. Please log into a work PC to authenticate this login to your authenticator"
Move to work PC. Click on email...
Work PC browser: Please log into MS Authe

Re:

[ArchieBunker]

Main character syndrome.

Re:

[ctilsie242]

If you use Google Authenticator keys, it is just a shared secret, and not really anonymous breaking, provided the 2FA program is stored somewhere secure.

TOTP keys, on the other hand are definitely something that can attack anonymous identities.

Re: From the Dept Noone Asked For

[jobslave]

I don't understand the 2fa trolls railing against it. Every single security outfit will tell you it increases security on your accounts. Even if you only have sms or email as options, it's still better than just a password alone regardless of how big and complex they think their password is.

Re:

[ctilsie242]

One thing that might be useful for 2FA while having anonymity, would be something like a PasswordCard, where it can be printed out on generation. That way, there isn't anything needed for a 2FA app clientside, other than having the card, where one just puts in the letters/numbers specified.

Re:

[vadim_t]

Most implementations of 2FA don't compromise anonymity.

The phone apps are just apps -- the whole point of running them on the phone is that they run somewhere other than on the device you're using to log into github, and so a compromise of your desktop/laptop won't extend to them. But they have no need to be on a phone specifically, and can be had as a desktop application, or purpose-made hardware device.

Re:

[DarkRookie2]

Because it is another measure of control the service will use to screw you over.

Re: From the Dept Noone Asked For

[jobslave]

Yeah sure riiiiiight. I see the conspiracy theories run strong with you. Good luck bud.

Re:

[Beryllium Sphere(tm)]

TOTP computes the one-time token as a hash of a time-based counter and a shared secret. https://en.wikipedia.org/wiki/... [wikipedia.org] is enough to know.

Re:

[Beryllium Sphere(tm)]

It's not for protecting against someone with physical access to your computer, which is generally considered Game Over anyway. But if someone phishes your password, or cracks the hashes from a compromised site where you reused the password, they've got a harder problem if you've got 2FA. They've got to hope the authentication protocol is one of the stupid ones without two-way authentication (LastPass, pobox.com you have been warned!) and run a real-time attack impersonating the site you're logging into to g

Re:

[DarkRookie2]

So I pay $100 and lose access to 2 of my few USB ports for slightly better security?
I am not seeing that as worth it.
This also takes two more USB ports for my laptop, so another $100 I need to spend, with the added benefit of having a nice easy way of breaking it.