GitHub starts enforcing 2FA

[golden_labels]

I have 10 Github repos, but have never installed git or any github web app.  I just use my browser in Windows to create and modify the repos on the site.

Would it be a problem, if I asked: what is the motivation behind using GitHub in that instance?

Can someone clarify if the 2FA requirement will apply to me, and if so how I can satisfy it.

Yes, it will.

I don't use a mobile device.  2fast was mentioned earlier, but Github's explanation of 2FA says a phone is required.

Phone will not be required and, while remain an available option, GitHub discourages this option:

We strongly recommend the use of security keys and TOTPs wherever possible. SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B.

I thought GitHub was used mostly by programmers. Was I wrong?

Yes, it is used mostly by programmers. You are not wrong in that. But you may be wrong in making additional assumptions about what “being programmer” implies.

Thanks but I moved everything from github to Gitlab.
I stay away from tech giants because they are arrogant and do whatever they like.

Are you sure, you ran away? Or were misled into believing GitLab is some small, nice company? It s an NASDAQ-traded international corporation at the same scale as GitHub.

The last thing I'll do is giving them my telephone number.

You somehow missed, that GitHub explicitly asks to not use mobile phone for that purpose.

[Peabody]

I have 10 Github repos, but have never installed git or any github web app.  I just use my browser in Windows to create and modify the repos on the site.

Would it be a problem, if I asked: what is the motivation behind using GitHub in that instance?

Not a problem at all.  I use it to post software I've written, and some circuits I've developed, that might be useful to others, and that I can link to from forums like this.  I don't have any other place to post it.  From looking around there, it appears a lot of other people use Github for the same purpose.

[shapirus]

Yes, it is used mostly by programmers. You are not wrong in that. But you may be wrong in making additional assumptions about what “being programmer” implies.

Well, may or may not. I guess I won't be very wrong if I say that git (as well as many other protocols) over ssh is the industry-standard approach. SSH is a well-established and very convenient way of tunnelling IP protocols over an encrypted TCP connection.

[golden_labels]

It is common in major companies in European and North American countries, and possibly some dependent companies elsewhere. That is hardly a representative sample of people engaging in programming. And even in this case workers rarely set SSH up themselves.

[shapirus]

And even in this case workers rarely set SSH up themselves.

I would fire the developer who can't set up an SSH client without any hesitation. This is one of the very basic skills of the profession.

(and I haven't ever met any who couldn't.)

[mwb1100]

Many password managers support 2FA protocols.  The one I use (SafeInCloud) is free - but not open source - for the Windows desktop.

You don't need to use a phone if you don't want to.

[mwb1100]

And even in this case workers rarely set SSH up themselves.

I would fire the developer who can't set up an SSH client without any hesitation. This is one of the very basic skills of the profession.

(and I haven't ever met any who couldn't.)

SSH is not particularly common on Windows, and the SSH tools that come with Windows (even Win11) are old and broken, so you will likely have to find an alternative set of tools and get them installed and configured.

And as I noted before, clearly there is a large set of github users who don't use SSH, otherwise github (and others) would likely not put in the effort to support pushing & pulling using HTTPS with special tokens or 2FA.

I guess I won't be very wrong if I say that git (as well as many other protocols) over ssh is the industry-standard approach. SSH is a well-established and very convenient way of tunnelling IP protocols over an encrypted TCP connection.

Do you realize that when you click on the button to get a repository URL from github that the default is HTTPS?  I'd guess that the vast majority of people pushing to github (and without a doubt pulling from github) are using HTTPS - especially people using Windows.

[shapirus]

SSH is not particularly common on Windows

a software developer who uses windows is, at least, suspicious, because it's the OS which is specifically designed to kill the programmer's productivity.

[mwb1100]

Seems a few people disagree.  From https://www.thurrott.com/dev/277533/report-more-developers-use-linux-than-a-mac:

As for the platforms that developers use, Windows retains its lead, with 62.33 percent of respondents using Windows for personal use and 48.82 percent using it for work. Linux is number two, with 40 and 40 percent, respectively, while the Mac brings up the rear with 31 and 33 percent.

Regardless of your opinions of people who use Windows or don't use SSH, there's a lot of them.  Hence github's HTTPS tokens.

And one nice thing about that is that it doesn't prevent you in any way from using SSH. And there's a large pool of people for you to evangelize SSH (or put down).

[PlainName]

SSH is not particularly common on Windows

a software developer who uses windows is, at least, suspicious, because it's the OS which is specifically designed to kill the programmer's productivity.

In what way, and how does the OS do that?

And is that worse than developing code on the product you're making? Some developers insist on having their RPi or similar compile the code, for instance.

[alm]

I wasn't aware of that limitation.  Do you have a pointer to more information about this behavior?  I can' t find any issue or discussion topic about it at the https://github.com/git-ecosystem/git-credential-manager site.

It's not a limitation in git credential manager, it's a limitation in Windows Credential Store. We had it with another tool that was using the Windows Credential Store. Looking at https://learn.microsoft.com/en-us/windows/win32/api/wincred/ns-wincred-credentiala, I'm not 100% sure into what limit we ran. Maybe the one for the credentials blob? Either way, the end result was that we had to fall back to plain text files for secret storage on Windows system (a downgrade in security), while things worked smooth on Mac and Linux systems with their native secret stores.

[c64]

SSH is not particularly common on Windows

a software developer who uses windows is, at least, suspicious, because it's the OS which is specifically designed to kill the programmer's productivity.

It depends which version of windows. My main dev workstation is Win7 (couple of years ago it was XP  ) and Debian is secondary. I find Win7 more convenient.