undefined | Better HN

0 pointsillusive40802y ago0 comments

Why opposed to MFA? Source code is one of the most important assets in our realm.

0 comments

Most people will have to sync their passwords (generally strong and unique, given that it's for github) to the same device where their MFA token is stored, rendering it (almost) completely moot, but at a significantly higher risk of permanent access loss (depending on what they do with the reset codes, which, if compromised, would also make MFA moot.) (a cookie theft makes it all moot as well.)

The worse part is that people think they're more protected, when they're really not.

Dylan168072y ago

Bringing everyone up to the level of "strong and unique password" sounds like a huge benefit. Even if your "generally" is true, which I doubt, that leaves a lot of gaps.

account422y ago

Doesn't help that a lot of companies still just allow anyone with access to the phone number to gain access to the account (via customer support or automated SMS-based account recovery).

loeg2y ago

It's inconvenient, SMS 2FA is arguably security theater, and redundant with a real password manager. Hopefully Passkeys kills 2FA for most services.

illusive4080OP2y ago

SMS 2FA is the devil. It’s the reason I haven’t swapped phone numbers even though I get 10-15 spam texts a day. The spam blocking apps don’t help and intrude on my privacy.

Hawxy2y ago

FYI github already supports using passkeys as a combined login/2FA source. I haven't used my 2FA codes for a while now.

1 more reply

userbinator2y ago

Freedom is far more important.

illusive4080OP2y ago

But you can use any totp authenticator. The protocol is free and open.

userbinator2y ago

It's more to make the point that "no means no." An act of protest.

(I have written a TOTP implementation myself. I do not have a GH account, and likely never will.)

1 more reply

creatonez2y ago

Should you have the freedom to put in a blank password, too?

voidz2y ago

My password is a single 'a'. Nobody will ever guess that one.

Freedom22y ago

They have the freedom to request whatever authentication method they want.

LtWorf2y ago

My source code is important to others but not to me. I have backups. but 2FA is annoying to me.

It's very easy to permanently lose accounts when 2FA is in use. If I lose my device my account is gone for good.

Tokens from github never expire, and can do everything via API without ever touching 2FA, so it's not that secure.

Brian_K_White2y ago

"If I lose my device my account is gone for good."

Incorrect, unless you choose not to record your seeds anywhere else, which is not a 2fa problem.

2fa is in the end nothing more than a 2nd password that just isn't sent over the wire when used.

You can store a totp seed exactly the same as a password, in any form you want, anywhere you want, and use on a brand new device at any time.

LtWorf2y ago

> Incorrect, unless you choose not to record your seeds anywhere else, which is not a 2fa problem.

You know google authenticator app introduced a backup feature less than 1 year ago right?

You know phones break all the time right?

2 more replies

jjav2y ago

> Why opposed to MFA? Source code is one of the most important assets in our realm.

Because if you don't use weak passwords MFA doesn't add value. I do recommend MFA for most people because for most people their password is the name of their dog (which I can look up on social media) followed by "1!" to satisfy the silly number and special character rules. So yes please use MFA.

But if your (like my) passwords are 128+bits out of /dev/random, MFA isn't adding value.

admax88qqq2y ago

Sure it is. If your system ever gets keylogged and somebody gets your password you are compromised

With MFA even if somebody has your password if they don't have your physical authenticator too then you're relatively safe.

ndriscoll2y ago

If you have a keylogger, they can also just take your session cookie/auth tokens or run arbitrary commands while you're logged in. MFA does nothing if you're logging into a service on a compromised device.

2 more replies

throwaway29902y ago

Haha yes they do. Everyone stores their 2fa in 1Password so once that’s stolen by a key longer they’re fucked.

samatman2y ago

The slogan is "something you know and something you have", right?

I don't have strong opinions about making it mandatory, but I turned on 2FA for all accounts of importance years ago. I use a password manager, which means everything I "know" could conceivably get popped with one exploit.

It's not that much friction to pull out (or find) my phone and authenticate. It only gets annoying when I switch phones, but I have a habit of only doing that every four years or so.

You sound like you know what you're doing, that's fine, but I don't think it's true that MFA doesn't add security on average.

jjav2y ago

> It only gets annoying when I switch phones

Right. I don't ever want to tie login to a phone because phones are pretty disposable.

> I don't think it's true that MFA doesn't add security on average

You're right! On average it's better, because most people have bad password and/or reuse them in more than one place. So yes MFA is better.

But if your password is already impossible to guess (as 128+ random bits are) then tacking on a few more bytes of entropy (the TOTP seed) doesn't do much.

1 more reply

White_Wolf2y ago

Your password is useless when it comes to hardware keyloggers. We run yearly tests to see if people check for "extra hardware". Needles to say we have a very high failure rate.

It's hard to get a software keylooger installed on a corp. machine. It's easy to get physical access to the office or even their homes and install keyloggers all over the place and download the data via BT.

jjav2y ago

> Your password is useless when it comes to hardware keyloggers.

You are of course correct.

This is where threat modeling comes in. To really say if something is more secure or less secure or a wash, threat modeling needs to be done, carefully considering which threats you want to cover and not cover.

I this thread I'm talking from the perspective of an average individual with a personal machine and who is not interesting enough to be targeted by corporate espionage or worse.

Thus, the threat of operatives breaking into my house and installing hardware keyloggers on my machines is not part of my threat model. I don't care about that at all, for my personal use.

For sensitive company machines or known CxOs and such, yes, but that's a whole different discussion and threat model exercise.

12_throw_away2y ago

> But if your (like my) passwords are 128+bits out of /dev/random, MFA isn't adding value.

no. a second factor of authentication is completely orthogonal to password complexity.

j / k navigate · click thread line to collapse

0 comments

hobobaggins2y ago

The worse part is that people think they're more protected, when they're really not.

Dylan168072y ago

Bringing everyone up to the level of "strong and unique password" sounds like a huge benefit. Even if your "generally" is true, which I doubt, that leaves a lot of gaps.

account422y ago

Doesn't help that a lot of companies still just allow anyone with access to the phone number to gain access to the account (via customer support or automated SMS-based account recovery).

loeg2y ago

It's inconvenient, SMS 2FA is arguably security theater, and redundant with a real password manager. Hopefully Passkeys kills 2FA for most services.

illusive4080OP2y ago

SMS 2FA is the devil. It’s the reason I haven’t swapped phone numbers even though I get 10-15 spam texts a day. The spam blocking apps don’t help and intrude on my privacy.

Hawxy2y ago

FYI github already supports using passkeys as a combined login/2FA source. I haven't used my 2FA codes for a while now.

1 more reply

userbinator2y ago

Freedom is far more important.

illusive4080OP2y ago

But you can use any totp authenticator. The protocol is free and open.

userbinator2y ago

It's more to make the point that "no means no." An act of protest.

(I have written a TOTP implementation myself. I do not have a GH account, and likely never will.)

1 more reply

creatonez2y ago

Should you have the freedom to put in a blank password, too?

voidz2y ago

My password is a single 'a'. Nobody will ever guess that one.

Freedom22y ago

They have the freedom to request whatever authentication method they want.

LtWorf2y ago

My source code is important to others but not to me. I have backups. but 2FA is annoying to me.

It's very easy to permanently lose accounts when 2FA is in use. If I lose my device my account is gone for good.

Tokens from github never expire, and can do everything via API without ever touching 2FA, so it's not that secure.

Brian_K_White2y ago

"If I lose my device my account is gone for good."

Incorrect, unless you choose not to record your seeds anywhere else, which is not a 2fa problem.

2fa is in the end nothing more than a 2nd password that just isn't sent over the wire when used.

You can store a totp seed exactly the same as a password, in any form you want, anywhere you want, and use on a brand new device at any time.

LtWorf2y ago

> Incorrect, unless you choose not to record your seeds anywhere else, which is not a 2fa problem.

You know google authenticator app introduced a backup feature less than 1 year ago right?

You know phones break all the time right?

2 more replies

jjav2y ago

> Why opposed to MFA? Source code is one of the most important assets in our realm.

But if your (like my) passwords are 128+bits out of /dev/random, MFA isn't adding value.

admax88qqq2y ago

Sure it is. If your system ever gets keylogged and somebody gets your password you are compromised

With MFA even if somebody has your password if they don't have your physical authenticator too then you're relatively safe.

ndriscoll2y ago

2 more replies

throwaway29902y ago

Haha yes they do. Everyone stores their 2fa in 1Password so once that’s stolen by a key longer they’re fucked.

samatman2y ago

The slogan is "something you know and something you have", right?

It's not that much friction to pull out (or find) my phone and authenticate. It only gets annoying when I switch phones, but I have a habit of only doing that every four years or so.

You sound like you know what you're doing, that's fine, but I don't think it's true that MFA doesn't add security on average.

jjav2y ago

> It only gets annoying when I switch phones

Right. I don't ever want to tie login to a phone because phones are pretty disposable.

> I don't think it's true that MFA doesn't add security on average

You're right! On average it's better, because most people have bad password and/or reuse them in more than one place. So yes MFA is better.

But if your password is already impossible to guess (as 128+ random bits are) then tacking on a few more bytes of entropy (the TOTP seed) doesn't do much.

1 more reply

White_Wolf2y ago

Your password is useless when it comes to hardware keyloggers. We run yearly tests to see if people check for "extra hardware". Needles to say we have a very high failure rate.

jjav2y ago

> Your password is useless when it comes to hardware keyloggers.

You are of course correct.

I this thread I'm talking from the perspective of an average individual with a personal machine and who is not interesting enough to be targeted by corporate espionage or worse.

Thus, the threat of operatives breaking into my house and installing hardware keyloggers on my machines is not part of my threat model. I don't care about that at all, for my personal use.

For sensitive company machines or known CxOs and such, yes, but that's a whole different discussion and threat model exercise.

12_throw_away2y ago

> But if your (like my) passwords are 128+bits out of /dev/random, MFA isn't adding value.

no. a second factor of authentication is completely orthogonal to password complexity.

j / k navigate · click thread line to collapse