Technology @lemmy.ml Xylight (Photon dev) @lemmy.xylight.dev 2y ago

GitHub to require 2FA on accounts by October 6, 2023

github.blog Raising the bar for software security: GitHub 2FA begins March 13

On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Read on to learn about what the process entails and how you can help secure the software sup...

I personally am fine with this.

125

125 comments

Yep, should be standard everywhere

..... for accounts you actually give a shit about
- And not via SMS
- And not the twitch way, where you have to have in an identifier, your phone number, but using proper, standards ways for it, like TOTP and such
  
  twitch has TOTP
- emphasis on the
  
  … for accounts you actually give a shit about
While you are adding this anyway consider using an open source app instead of google auth like aegis. There are many others but I wish I knew about them sooner.
- I personally love keeweb. Passwords and 2fa all in one place.
  
  I mean you could argue that defeats the purpose of having 2fa, but it's convenient
  
  It weakens it a bit, but in my opinion it still has strength where it counts. If an attacker gets access to your password outside your password manager (man-in-the-middle, keylogger, phishing), then you’re still protected. Maybe it’s hubris in my own ability to keep my password manager safe, but I’ve never been worried about storing MFA in my password manager.
- Bitwarden is also good.
  
  Bitwarden crew checking in. The best thing about bitwarden is the 10$/year to have a pro account. It gives you, amongst other things the ability to store up to 1tb of attachments and reports on various risk assessments.
  
  You can even host your own instance.
  
  I recommend it.
  
  You probably shouldn't be storing your passwords and 2FA in the same place.
- Just moved my github MFA to aegis.
Good, people are fucking stupid and if it effects others it's often better to choose the security for them!
- Yup. I'm actually a bit baffled by how much negativity/misinformation there's around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
  
  Well negativity is there because every app wants it.
  
  I don't care if account x is compronised, as it has absolutly no value
  
  I dislike MFA because it creates a risk of losing access to my account. I can back up my passwords; I can't back up a hardware device.
2fa should be mandatory everywhere
- Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.
  
  Yeah. GitHub makes sense because most users are writing code that can be executed by others. That makes GitHub accounts security critical.
  
  But a Lemmy account? Naw, you lose almost nothing if that gets compromised. A little bit of history and subscriptions, mostly.
  
  I'm in a discord that for some reason "requires" 2FA. Based on searching, I think they give everyone some kinda admin role or something? It doesn't actually require 2FA, but it shows a very annoying warning that covers up a bunch of the channel selection screen. But despite that, I don't really wanna deal with the hassle of 2FA on a chat app that's basically consequence free for me if it gets exploited.
- Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.
Passkeys supported?
- https://docs.github.com/en/authentication/authenticating-with-a-passkey/managing-your-passkeys
- What's the difference between a passkey and a security key?
  
  Edit: ohh, it's passwordless. I won't do this for my Google account. Github: maybe. but not Google
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
- Use a password manager that lets you autofill 2fa, like Bitwarden.
  
  1password does this, too and it's magical. I've had my SMS go to my browser via Google Messages for a while, but it's so much easier to just auto-fill it instead of copy/paste
  
  That's bad advice
- Get a hardware 2FA key instead of using your phone for TOTP
- I don't like how a lot of things require their own custom app, especially when there's no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
  
  I like the app setup rather than shoving everything into a browser. But I'm not a fan of this 2fa stuff. I get the point is security, but let me decide which app/method to use, and whether I want to use it at all. Otherwise it's just annoying.
- Yubikey
- You can use KeePassXC to generate the TOTP codes on your PC. With the browser plugin, you can generate the code and fill the textbox with one click when the password database is unlocked.
  
  Sites that don't use standard TOTP for 2FA are a pain in the ass though.
- Authy has a desktop app and syncing across devices
  
  …through a third-party cloud server that you have no good reason to trust. No bueno. Keep sensitive information off the cloud unless you want it to become public.
  
  This! Authy is very very nice. Syncing accounts is a life saver, both as backup, and not having to pick up the phone all the time.
  Cut and pasting with a click instead of reading and typing, is so much faster.
  Easily search the very long list of entries.
  Not open source tho, but free as in beer.
  If Aegis had the sync option, i would have used that. But it did not last time i checked.
No offense to companies but I'm honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a "bad phone number". This happened on discord where I'm locked out of certain servers because I can't do phone verification, and I can't do it because discord doesn't like my phone number. Twitter was the same way for a long while (couldn't do 2fa/phone verification due to them not liking my number).

From the article it sounds like they're doing authenticator app or sms. I'm guessing sms won't work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft.... no google?

Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we're gonna have to have 30 different authenticator apps on our phone?
- Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?
  
  you... don't?
  
  Both of these implement exactly the same protocol (TOTP). Used authy for all my ~~Top Of The Pops~~ Time-based one-time password needs exclusively, before moving everything to bitwarden
  
  Unfortunately there are some websites that require Authy (probably because Authy wined and dined some business executive). I absolutely loathe these sites but if it’s a site you’re not willing to live without, you’re stuck with having Authy plus your main 2FA app.
  
  websites explicitly said to get one or the other so I did.
- BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn't matter which one you use.
  
  BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn't matter which one you use.
  
  Eh, it's a little more nuanced than that, there're more standards for MFA code generation than just TOTP.
  
  And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard's Battle.net MFA is a good example of that.
  
  If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn't automatically assume that it's going to work.
- Anyone who claims they're doing OTPs over SMS for "security" ia lying to you. Discord wants your phone number; it has nothing to do with your security
  
  there's quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
- Google Auth works just fine. The standard for app generated 2FA is, well, standard. They're only listing a non-complete list of options for people that don't know what an authenticator app is and need to get one for the first time.
  
  The google auth which transmits your totp code in plaintext to there servers?
  
  do all authenticators work for all services?
I personally am afraid of this. What if something gets botched? I'll be permanently locked out of my account!
- Print off your recovery codes and keep them safe. If you want to be extra, hammer them into metal plates like the crypto weirdos do.
  
  Printing recovery codes would require me to either be price gouged by the printer ink cartel or use someone else's printer, and using someone else's printer is begging to get my account stolen.
  
  I have no idea how to hammer things into metal plates, but I'm guessing that's even more expensive than printer ink.
- I'd prefer me getting permanently locked out over someone who isnt me getting allowed in. Even more so to services which have my credit card number.
  
  But unlikely anyway, as long as I save my pass and 2fa to a password manager, and keep the backup codes backed up.

125 comments