I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.
Why isn't password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?
It's 2023, we are almost already at Passkeys and you skipped TOTP (basically that "Google Authenticator" does) as 2FA?
anyway there are a lot of open source TOTP apps available to choose from like Aegis or if you want to sync it something like Bitwarden (Premium or Vaultwarden)
desktop apps also exist but that would defeat the point probably
stay away from proprietary apps and do backups of these TOTP secrets or you'll absolute will lock you out if you loose your phone somehow
True, its more secure. But I think that it should be optional since its the users responsibility to keep their accounts safe. Good thing that GitHub offers various methods to add a second factor.
It is annoying, especially for those of us who are diligent about our existing factors and unlikely to be compromised, but the sad reality is that most people aren't that diligent and supply chain attacks are a serious problem that needs addressing.
For your own projects, it might be worth considering a move away from GitHub. (I've been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.
For participating on existing projects, I suppose the silver lining is that they chose standard TOTP, instead of some awful proprietary system. I can use whatever open-source code generator I like.
supply chain attacks are a serious problem that needs addressing.
Last I checked: I am not a supplier. So I will not invest effort to secure some supply chain for people that I do not have any obligations to: The license clearly states "no warranty" for a reason. I do those projects for fun, not to bother me with security stuff, notifications about security problems some automatic thing "found" that do not really effect my code and bogus merge requests to upgrade dependencies for no reason... this are all cool things if you are a supplier, do not get me wrong, but I am not. No, I will not invest hours of my free time to sign binaries nobody uses either or to fill out security surveys for badges I can display on github.
If you want me to act like a supplier: Pay me like all the other suppliers you have. I doubt there is any interest to do so for the projects I have on my private github :-)
For your own projects, it might be worth considering a move away from GitHub. (I've been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.
That also has associated costs: Your project gets instantly much less visible, so you need to keep a mirror on github for visibility. Unfortunately that also means that you will also get interactions on github, so you will need to log in occasionally to not make people think the project is dead.
I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?
If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don't know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.
You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.
I'm not particularly angry or stumped about this, but I agree that it should be the user's choice. I value freedom, especially regarding software, and I'd much rather have an OS that lets me delete the root folder than one that does not let me delete system32, even if I never intend on doing any of those things. In much the same way, I think I should get to decide how much I am willing to protect a particular account. What github should do is point to the option of using 2FA and recommend it, with a brief explanation, not requiring it as policy.
On the one hand, security is good in the general case, and github has a right to set whatever (legal) conditions they want for the use of their services.
On the gripping hand, for the kind of stuff I've put on github in the past? Not worth even a tiny bit of additional friction, especially when I hate git to begin with. I've been procrastinating for a while now about moving or deleting existing repositories. Should get on it, I guess.
(There are also certain details of how they've executed their security upgrade, which locked some maintainers out of their projects at one point, that I don't like, and which has reduced my already low trust in them.)
Most of my private and personal projects I host on my own server anyway but recently I began to contribute to public projects, and even if its just translations, and I would love to continue doing it. So I'll use an Authenticator then for my github account.