When I think of what the "most important" account is to me, my Github page is pretty damn close to the top. Mine is currently 2FA with an automated script that will scan my Github and back everything up to GitLab (at least the "important" projects), which is also 2FA'd.
Insane setup to protect data in one account but if I loose access it would be beyond a bad day for me.
If I manage to lose my phone, live and backup yubikeys then I have recovery codes.
It's going to have to be something pretty drastic to cause me to loose all of that.
But my response wasn't to turn off 2FA. It was the reverse - to turn on all forms of authentication made available, for all acccouts. If I lost control of it one way, I had another.
By the by, if you read the spec, FIDO expects you to do this in preparation for the day you lose your token. So no you are not the only one - people think about it all the time.
For me 2FA is super annoying because I run my browsers in private mode and I restart them multiple times a day, so I have to sign in quite often. It effectively makes it much harder for me to keep my privacy.
Not to mention loosing the freedom to log in to my accounts from everywhere without needing my devices. Things do get stolen/lost/destroyed and that is a more realistic threat for me than getting my password stolen.
Tiered access would be better here. No commits, repos without 2fa.
Sure, someone could hack your computer and get access to your GitHub, but if they're already on your computer, they can just change the code and do a git push too.
Probably feasible for most users of HN, but prohibitively expensive for millions around the world. Using a phone for 2FA is not great:
1. You can lose it. 2. If you're backing up 2FA to the cloud, then it's not 2FA any more. 3. If you use a password manager on your phone, then both factors are the same, it's not really 2FA.
And it significantly degrades the user experience by requiring you have both devices available when you create an account to have any kind of backup.
the end result will be that i won't be contributing code on github anymore but rather copy the project elsewhere and tell the developers where to pull my patches from.
And for people that are unable or refuse to use a secondary device, there's no technical reason you can't run a TOPT app on your desktop.
Clearly communicating a bunch of different options would be helpful for people.
Personally, I have 2 yubikeys, Authy synced to multiple devices, and the backup codes. There a bunch of options with different tradeoffs.
2FA doesn't mean only SMS or smartphone app.
I personally have 2 yubikeys registered as the second factor and it works great. They last years w/o any problem.
The backup codes have a "nearly never used" issue: since they're nearly never used, it's easy to forget where you put that piece of paper (I vaguely know where mine might be located, but I'd have to lose some time searching for it if I ever needed it).
And there's also the risk that the "something bad" affects both the TOTP device and the backup codes. If your home is flooded, for instance, you might lose to water damage both the piece of paper where the backup codes are and your mobile phone.
Reading a lot of "phone broken; locked out of account" comments here and I don't know whether they understand that local one-time only recovery codes should be downloaded and stored safely (maybe even printed and stored in a safe, I do not know). If you lose access to your 2FA device, use the "recovery code" option and use one of your recovery codes to unlock your account.
What are they supposed to do to fix your issue without compromising their security model?
What you describe sounds like 2FA working like it's supposed to.
I don't believe I have the capacity to reliably preserve, in a secure location, recovery codes from dozens of different services over many years.
I suspect I'm not the only one.
There is pretty much nothing else in my personal life I have to do something like this with. The closest might be my physical SSN card or birth certificate. But that's one thing to keep track of, not a new thing every week or month to add to the stash. And even those, if they get lost, there is SOME way to replace them, usually.
We are asking people to do something that is not a thing they have practice at or otherwise have to do or are any good at or have the capacity for. And then blaming them when they fail to pull it off, where you're constantly getting locked out of things and/or constantly getting hacked, probably both at once.
I understand passwords alone don't work. I don't have a solution. I'm just predicting a very painful digital future for most people.
(My own "solution" is using Authy TOTP, installing it on multiple devices, figuring I will retain working access to at least one of these configured devices, and not bothering with backup codes. I don't know how secure it really is, or TOTP is in general, but it lets me keep using services that require it, without living in fear that I'm going to lose my phone and misplace the backup codes and lose access forever).
And that the very same reason people can't be trusted with passwords is the same as why they can't be expected to keep backups of their recovery codes.
Passwords suck. But so does every form of 2FA.
Fear is being locked out is exactly why I'm reluctant to enable 2FA. To enable it and then just store the password (err, I mean, recovery key) in my password manager seems to just get me more hassle for exactly no additional security.
What am I missing?
• there's no temptation for the user to use them on another website, where they could leak
• the server can ensure they are high-entropy (although AFAICS GitHub's recovery codes are only 40-bit…)
Moreover, if someone takes over your e-mail account, they can reset your password; but they can't reset the recovery codes.
That way it's easy to enroll a new laptop/phone/yubikey.
Once printed out, put in a plastic bottle and bury it in your backyard :)
Then again, people that use password managers at all usually have stronger passwords and less password reuse, so it can be an acceptable tradeoff.
Years go by, I need a code, they don’t work. Github could do nothing but tell me to start a new account.
Same old story; Github does not exist for you. It exists to make its workers and owners money. Whether it works or damages you is irrelevant to them.
The future has no obligation to the past. Don’t expect the codes to work if they change something that deprecates the old system they used.
Maybe it's just my account, but I can't currently enroll my hardware token with Github in any way whatsoever.
Sure, they offer some 1.5FA, but why would I bother with that?
When they say "for the sake of security" they mean for them too.
There's a reason they want you to verify using one of the first two methods first.
I got my Yubikey from Github for $5 https://github.blog/2015-10-01-github-supports-universal-2nd...
Apparently, once you do that, you might be able to add proper authentication. But no word on whether that then replaces the obsolete methods you were forced to configure earlier.
But, yes, right on track to enforce 2FA in 2023, I see...
So, after you enable a broken-by-design 1.5FA method, which you don't want, and which will further expose you to account takeovers, you can, possibly configure actual security.
No wonder these guys are raking in the big bucks...
I think we all need to consider the possibility of moving off of GitHub, or at least keeping a mirror of everything on another provider, and making sure any long-lived services that pull from GitHub know the other provider to use. You don't want an account lockout to mean you've lost all your work.
It is a lazy way to cater to the lowest common denominator of users who will eventually fall for a phishing scam or install some keylogger and have their password end up in a dump.
I've come to that conclusion, too. I moaned and groaned when Microsoft bought GitHub, but did nothing about it. Now I've begun the migration process.
I'd like to spell out some big-picture thoughts on 2FA. Security and convenience are antithetical to each other. Sometimes better solutions come along where you can have a little bit of both. But ultimately, they're trade-offs.
Do you value security, or do you value convenience? And in what proportion?
Furthermore, increasing security also increases fragility. There's more to go wrong. Posters here have been talking about losing their devices, and so forth. These are legitimate concerns. These points have rebuttals, such as recovery procedures, and so forth. OK, and you're sure grandma is up to the task, is she? All these convenience tools: they're easy to use until they aren't.
So not only do you have to think about security vs convenience, you have to consider downside risks on both ends of the spectrum. It's not as easy as saying "moar security" and reading press reports about the advisability of such systems.
Or to look at this from the threat analysis side, there are many different threat models and not everyone has the same ones.
This is why it is so wrong for these cloud services to consider only one single threat model and impose it on everyone.
Denial of service is also a consideration in threat modeling and 2FA does increase the risk of loss of access. Whether that's worth it depends entirely on other factors which will vary for each individual and group. It's never a clear cut answer.
Personally I have TOTP enabled on my github account (not on a phone, that's too fragile) but that's because it makes sense for my use case.
There are other provider accounts where I have no desire to ever enable 2FA because I value access from anywhere with only my memory far more.
Cloud providers should not be making threat modeling decisions on behalf of users, each user needs to make their own.
Another reason to self host most things, you can implement your own best policy.
IMHO there’s no good answers on global scale. Identity should be handled on local level. Government already has process for issuing me new tokens even if I would loose all my existing ways of proving my identity. Local organizations know how to verify my identity using those tokens. I already put lots of trust on my own bank on this, so maybe they could also manage my digital identity.
Another solution is for users to upload identification documents when they sign up for the service. To recover your account, the service asks you to provide the documents again. This way it doesn't matter what the locality is, and you can provide literally anything (a picture of a duck!). Some providers have asked me to send a copy of my Driver's License before, but I don't think I had provided it to them before recovery, so that wasn't great.
A couple startups are beginning to build "identity" products that I imagine will cover a lot of this space. I expect soon there will be one company that everyone uses for identity, and then rather than be at the mercy of GitHub, we'll be at the mercy of Sauron's Eye.
GitHub is a remote. This "mirror" is kept on your disk.
Sure, it’s common for sites to use your phone number both for 2FA and account recovery (whether single- or multi-factor—and single-factor account recovery is obviously a serious problem in a two-factor authentication environment), but the problem you’re complaining about is nothing to do with 2FA.
I think Fastmail hits the right balance, and explains it well: https://www.fastmail.help/hc/en-us/articles/360058752374-Usi..., heading “Why do I have to add a recovery phone number to set up two-step verification?”
I don't really understand how it can be easier to break into a system if you need the username, the password and an SMS code, than if you just need an username and a password.
Obviously, SMS two-factor authentication is flawed. But one-time codes and WebAuthn are pretty good two-factor authentication methods to secure important credentials.
It's not good 2fa, but it is 2fa.
There are proposals to address this either by chaining trust between security keys or by sharing "passkeys" (a webauthn credential). see https://news.ycombinator.com/item?id=31272867 Only apple implements it today as far as I know so there's no good way to recover from a lost or damaged key if you're not exclusively in the apple ecosystem
Install experience is not the best , but drivers work well
How secure it is I can't really say. But it will allow you to access services requiring TOTP without a cellphone or usb dongle.
https://authy.com/blog/introducing-authy-for-your-personal-c...
Git is decentralized. My feeling is we should be focusing on technologies that lean into that idea.
Inter-Planetary Version Control [0] looks to be a defunct project but hits the keywords that fit what I imagine to be a viable alternative. Does anyone know other alternatives?
Whether this is a good idea or not is up for debate, but it doesn't require a phone, or even internet technically, just an accurate (within ~1 minute) time.
EDIT: Typo should -> shouldn't
EDIT2: to be more clear- shouldn't -> isn't
See https://docs.github.com/en/authentication/securing-your-acco... . I've only skimmed but I don't see anything in that list that doesn't require a mobile phone in one form or another.
You might need an "EDIT3", I'm afraid, because "isn't be" doesn't make that sentence much more clear.
IME, they not only require a phone number at setup but, further, reject VOIP/twilio numbers.
This shows that it’s not at all about security, but about slowing (but not solving) their brutal, unrelenting, spam and sock puppet problems.
EDIT: Thanks - very interesting. I guess I am jaded by my experiences with 'authy' and twilio, etc.
Either way, it’s not phishable (unlike passwords) so it’s way safer.
That's atrociously low. I know it's caveat emptor when it comes to FOSS, particularly as the nominal price is usually $0, but that really needs to be bumped up for anyone that is publishing packages to a public registry.
I hope they both mandate it for NPM and publicly flog^Wflag any existing accounts as "2FA Not Enabled" so that users can use that information to make their own choices about which dependencies to include in their projects.
Fine, do that. I don't care. Just don't force me to use 2FA if I don't want to. I prefer the convenience over the extra security. This change removes that choice from everyone.
You can put an auth cookie in a browser and achieve 2FA for 99% of use cases without bothering anyone.
But nobody does that when they can use 2FA as an excuse to force people to install their app or hand over more personal information.
No reason 2FA can't be just two passwords.
Confusing, obviously incorrect.
> No reason 2FA can't be just two passwords.
Maybe somewhat less obviously incorrect, but still incorrect. Passwords can be phished easily, are managed by users, etc.
That's not two factors, that's one factor (something you know) twice, even if it is different passwords.
Anyway, my own devices are the biggest risk in my threat model. Both my laptop (where I'd store the backup codes for GH MFA) and my phone (normal MFA authenticator app) turning into bricks is a WAY higher risk than someone stealing my Github password.
I'm not even a part of any orgs, no maintained packages (not on the account I use now, anyways). So I could store my backup codes on the cloud, but Google is getting fussier every day about 'lack of backup device' or whatever.
I could use a one time pad (and just memorize it), and store the encrypted backup codes on some kind of decentralized, permanent db. So a blockchain. But that costs money, and this is basically a venial irrelevant problem that I'm only complaining about to be a naysayer on this thread. So let's look for a free solution...
Well, what about... free anonymous blogging solutions! I can publish it to a bunch of these. I can use memorable usernames. Now, I just have to remember the platform(s, plural, cause one platform is still risky, could get the account banned or something by doing this, so I'll want to use all the big ones, reddit, twitter, and so on), the usernames (which will all be the same, to accommodate memorization lol), the 2fa backup code one time pad, and of course the password itself. But I could use the password as the one time pad to lighten the load. And the username could be really easily made memorable.
Yes! How easy is that? Okay, I'm going to try it out. If my approach is flawed, feel free to steal my GH account (as you can probably ascertain, it's a throwaway GH account, which is the only reason I'd be annoyed at having to 2FA for it).
I'll report back to this threat and leave a response to myself once I have this set up, in case anyone else is curious.
2. Don't want my hand to cramp
3. I'm being silly, everyone should use MFA
I mispelled gh as gb, but that makes it more memorable (Great Britain, world war II spies, the cryptonomicon partially taking place in the UK, easy peasy).
Okay, so where was I? Right, the encrypted backup codes! Here is the code
encrypted = []
secret_key = input('secret key: ')
try:
for index, character in enumerate(input('secret to encrypt: ')):
encrypted.append(ord(character) ^ ord(secret_key[index]))
except IndexError:
print('Your key is not big enough to securely encrypt the secret!')
print('Go play cryptopals to see why using XOR that way would be bad')
print(''.join(hex(i) for i in encrypted))
https://www.reddit.com/r/encrypted_gb_codes/comments/uj1fll/...
When I read this announcement I was happy because this means 2fa is getting even more known,.accepted and used.
If you have a strong password, is that really the biggest security threat? I highly doubt that. 2FA is used to get unique identifiers and data mine people.
It is a breach of confidence that large parts of the open source scene has trusted GitHub and now has to jump through new hoops practically every year.
How do they get unique identifiers from TOTP?
The fact that GitHub assumes to be in this position is alarming. Combined with this enforcement which I do not appreciate, I’m reconsidering my investment and will actively start migrating off of GitHub.
it's kind of true, isn't it (for certain programming languages)?
Laptop or phone stolen? No access to your own devices? Oops guess you can't login to anything.
It seems that I will requires either SMS, a mobile app, or USB dongle. I'm not happy about any of these options. I'm not going to give away my phone number, I don't have a smartphone (I have a Nexus from 2012 though), and I don't want to fork out on dongles.
Someone mentioned that keepassx being able to do it, but I'm a bit hazy on that.
I've registered for a gitlab account just now, and I'll be messing around with that for awhile to see if I like it. If it proves tolerable, I'll probably be yanking the plug on github.
To authenticate, a password is generated based on the private key, which acts as a seed. That seed is combined with a timestamp in order to generate a password, which has an expiry time of about 1 minute. The algorithm that generates the password is a standard one, so once you know the algorithm, you can generate valid passwords.
Linux provides "oathtool", which is suitable for such a purpose.
Is my understanding correct on this?
I've never lost a password. And the only time I lost a somewhat important account (Google) was because of their automated recovery system. If I could select "disable account recovery" the account would've never been highjacked... OK maybe it would've in a few decades when the average PC could bruteforce a 128 bit password in a reasonable amount of time and Google disabled rate limiting for some reason.
Glad to see Github pushing this, I hope package repositories follow suit!
It's not clear that this 2FA requirement would fix any of those problems, but it could one day allow package management tools to flag up when one developer has given/sold control of their package over to someone else who has less of a reputation and might be malicious, as was the case with the event-stream package.[1]
[0] https://github.com/ChALkeR/notes/blob/master/Gathering-weak-...
[1] https://www.eweek.com/security/node.js-event-stream-hack-exp...
I don’t have a phone number (that I am willing to fork over) so there’s that.
Welcome me, GITLAB!
I am an adult. If I want to sacrifice some security in the name of convenience, I should have that option. All this is doing, is pissing me off, and giving me one more reason to move to another platform.
[0] https://art.tools.ietf.org/id/draft-fedorkow-rats-network-de...
The biggest problem with Github in my opinion, is that personal accounts are usually the same as the one we use in the company we work for. So we are mixing personal and professional security
Realizing one weekend away that I forgot to do a quiz for a uni course, trying to login to the course website on my phone and then remembering my hardware key is at home in my laptop.
Being forced to add a phone number to secure accounts I could not give less of a shit about but have to use for one reason or another, coming back months later to login, and realizing it's an old number and I'm locked out.
Emailing support in those cases and them just removing the phone number or changing it without any additional proof making the 2FA utterly useless.
Or emailing support and them asking me to send some drivers license or ID, then politely telling them to just delete my account because they never had that much info about me anyway.
2FA is a scourge. Just let me worry about my own security, if I care about your service, I won't make my password "asdfghjkl". In 99% of cases, that is fine and I have never had an issue.
Thanks for all the fish.
I also can't believe how many people are complaining about requiring 2FA. I have 2FA enabled for every single service that gives you the option. Backup Codes live in my password manager, and I have multiple yubikeys that I enroll whenever it's an option. It's been 10 years since I started doing this, and I've never been locked out.
So the consequence is that that don’t bring their phone to the site. They would leave it somewhere else before going up to the site. Needless to say that this 2FA requirement is a huge pain to them. There’s no second device for them. And even if someone could have a hardware key, those can becomes broken due to the reason above, and they don’t want that single point of failure to cause them trouble.
So those people would basically try to defeat 2FA because of this. Eg our university requires 2FA to login to their network. They come up with a method to get the secret of the HOTP (from Duo, which is much less popular than TOTP that Eg Google use.)
I also made a suggestion for those people to use SMS for 2FA and use Google Voice for the phone no. Again, another way to make 2FA works on a single device.
P.S. needless to say on site they have servers and computers to collect data and analyze them. So they need to log in even if they don’t have a phone with them.