Stupid Microsoft enforcing 2FA in GitHub

[DavidAlfa]

It's ok to add the option, but let people decide the security they need, a really huge percentaje of accounts are doing nothing important.

But enforcing it is plain stupid, by no way I'm adding more personal information to be leaked for 1849192th time, a later "Sorry we got a breach" email won't fix it!

It'll backfire at them, people is flying to gitlab, I see them removing the "feature" in no time...

[SiliconWizard]

Yeah I understand the frustration, but 2FA is going to become prevalent I guess.
You actually don't need to give more personal info. I have bought a couple keys a few months ago and set them up with a few accounts, including one of my bank accounts.

For github, I didn't need to provide more personal info than they already had before.
I used TOTPs with 2FAS: https://2fas.com/
This way you don't need to give them your phone number or anything like that.

[Halcyon]

The issue of accounts getting breached isn't just an issue for the account holder but for the business as well.

The less accounts are compromised, the more reliable the product becomes. You wouldn't be too interested if the place was just full of malware and garbage due to stolen accounts.

[Shonky]

Just use TOTP. No extra info given away. Don't use "muh privacy" as a lame reason.

As for them reverting the change, won't happen. And people won't be flying to Gitlab because of it.

It's hardly an imposition but it seems there's always someone who'll whinge. This is not even the first thread here about this Github change either. The whinge level for stuff like this is certainly higher here.

https://www.eevblog.com/forum/chat/how-to-bypass-githubs-new-enable-two-factor-authentication
https://www.eevblog.com/forum/programming/github-starts-enforcing-2fa

[DimitriP]

I would buy into 2FA if all them "security folk" were smart enough to figure out that since the computer , browser and ISP that I've used the last few hunded times I logged in is still the same, it's me.
Perhaps 2FA can detect that there is no knife on your throat too.

For security reasons  and your protection this message will be deleted in 24 hours.   

[Siwastaja]

People did not fly to Gitlab even when Microsoft stole their code only to sell it, which is actually a criminal offense and in any case orders of magnitude worse than some broken login bullcrap. No one ever got fired buying IBM Microsoft, and if Bill Gates comes to your door asking to suck his dick, most will just do that. Me included, I have not moved anywhere from Github either, but once you think about it, it's pretty crazy to keep using it. And yet that's exactly what we do.

[DavidAlfa]

Yeah, it's another thing which started great, got into everyone's daily life, and one they got us all on the hook, bang!
Change it as the ** they want, nobody is going anywhere
Just like Google etc etc.

[Buriedcode]

It's ok to add the option, but let people decide the security they need, a really huge percentaje of accounts are doing nothing important.

Giving "people" the power to determine the level of a security a system has is a terrible idea. Increased security is almost always the direct result of past failures.

[Veteran68]

Umm, no. They won't be "going back" on MFA. Microsoft, as nearly all modern enterprises (including my own employer) are going all in on MFA and passwordless/passkey based tech.

And as was pointed out, trusting people to determine their own security is just a horribly bad idea. Unfortunately, allowing people to choose to be insecure just increases the risk for all of us as well as  business such as GitHub in this case. It's not only about getting to your "nothing important" source code. If I can get on the platform using your easy-to-compromise credentials, then I not only can potentially exploit any weaknesses of the platform once I'm in it, but I can do it while impersonating YOU. That should concern you. It sure as hell will concern GitHub.

Best to embrace MFA and other advances in security as a necessary cost of doing business in the new high tech world. It won't be going anywhere, and things could get even more onerous. Honestly, it's pretty painless and straightforward nowadays. I use an authenticator app on my phone every day (every. single. day.) because not only does my employer require MFA, but so do several other service providers or suppliers I work with on a regular basis. Today it's still an option with most, but as you can see with GitHub, it won't be for long.

[SiliconWizard]

I'm glad TOTP exists and is a currently accepted method. Hopefully it will keep being that way.
With that, I find using security keys pretty acceptable and better than plain passwords obviously. The downside is that if you lose the key(s), you're screwed up. Yes, there are ways of recovering access - either wth a set of recovery codes (but you need to keep those away from prying eyes and make sure you don't lose them either, so it's kinda shifting the problem), or other methods, most of which will rely on proving your identity in some way, which (at the moment at least) means usually some lost privacy.

So, TOTP+security keys are cool if you make sure not to lose your keys. Otherwise, you are going to lose privacy and will have to disclose some personal information to get access.

As to github itself, there has been a number of good reasons of moving away from it way before this 2FA thing. So IMO if you had to quit github, it should not be because of 2FA.
I personally use github when I'm forced to (as I'm sure many of us), that is if I have to collaborate on a project that is hosted there, which is relatively commonplace in the professional world these days, even outside of pure software; or to report issues/bugs on open-source projects that are mainly hosted there. Otherwise, outside of these cases, I do not have a single project on github.