undefined | Better HN

0 pointsmichaelmior6y ago0 comments

I would assume that GitHub support would be willing to provide some out of band authentication to allow someone to recover an account if all other options had been exhausted.

0 comments

2 comments · 2 top-level

Klathmon6y ago

I personally hope they dont.

Time and time again it's been shown that one of the weakest links for account security is customer support. It's pretty trivial to gather enough information to impersonate someone well enough for most support reps to believe it's actually you.

It's also part of the reason why SMS is so insecure, because legally most phone companies can't not allow you to transfer your number, and the ways they can verify you are you is limited.

If they do allow support account recovery, I hope they allow the ability to disable it for those who don't want the extra attack vectors.

jeromegv6y ago

That's the whole point. We do not want that. This leaves us vulnerable to attacks where they take advantage of the support person naiveness.

j / k navigate · click thread line to collapse