Github forces 2FA: what if I just not?

[Apeirogon]

Github set a deadline on 6 october 2023, for me, to setup 2FA.
According to official page
https://github.blog/2023-03-09-raising- ... -march-13/
it block my account from accessing githuib features which is....what exactly? It will straight up lock me from using 'git push/push/fetch' and/or checking code repositories (it require account now, for good or for bad)? Because all I need from github, and all I use it for, is a online copy of my shit, in case something happens with local copy/hard drive/pc.

[Professor Hastig]

It will block you from logging in. Any personal access token should continue to work but you won't be able to create new ones.

This action seriously makes me wonder how much damage it will inflict on the service. 2FA has become one of the biggest annoyances with internet services because losing the second factor is a lot more likely than those requiring it imagine and unfortunately many services require a second factor that's particularly easy to lose.

[drfrag]

Same here before october 12, i guess you could not do anything until you enable 2FA. And you need a third party mobile app for that.

[Professor Hastig]

They also accept SMS. Had they required a mobile app I think many people would have quit. SMS is bad enough but these authenticator apps are a genuine menace.
It's really sad that 2FA has become the default method to claim that "we care about security." What's more secure here than requiring an email confirmation as they already did before if they noticed a login from another device?

[drfrag]

SMS messages sound even worse, they'll likely charge for them.

[Graf Zahl]

Should they really do that I'd nuke my account and all content along with it. 2FA is a genuine menace, especially when it requires a modern smartphone. Reality check: There are people who do not want to have one - for my needs a simple dumbphone is more than enough.

[drfrag]

Luckily i just bought a new smartphone for 50€, it was a special offer xD. Not too bad 2 and 32 GB.
But i've found out the only talk i see about Github's 2FA is happening on Github itself. That's strange, could this shit kill Github? I don't know.

[dpJudas]

The ambiguity of what happens if I don't really pisses me off. If they want to insist on 2FA that's their right as it is their website, but it sure is shitty not to specify properly what exactly happens if I don't. Classic dark pattern behavior btw.

[Kinsie]

This action seriously makes me wonder how much damage it will inflict on the service.

Probably pretty minimal, given how common two-factor authentication is across every other online service nowadays (and given how likely it is for people who use GitHub professionally to already be using other, more onerous security systems like employer-owned VPNs or physical dongles - what's another six digit code on top of that?)

[Blzut3]

especially when it requires a modern smartphone.

It doesn't. You can run a TOTP authenticator app on your PC. Some password managers even have it built in so they can auto fill your password and 2FA code. Technically not as ideal as using a separate device, but it's better than nothing. TOTP uses only time for synchronization (no connection of any sort required) so what you do with the secret they give you is your business.

[Professor Hastig]

- what's another six digit code on top of that?)

It depends on how easy it is to get that code.
I would never entrust this to an app on my smartphone. I normally do not even use a smartphone. I just had to buy one so I can use my bank's 2FA which is so 'secure' it doesn't offer any alternative. I would have switched banks normally, but I'd get so much worse conditions that the phone ultimately costs less. I only installed a prepaid SIM card with no monthly fee in it, otherwise the math wouldn't check out.

[Kinsie]

It depends on how easy it is to get that code.
I would never entrust this to an app on my smartphone. I normally do not even use a smartphone. I just had to buy one so I can use my bank's 2FA which is so 'secure' it doesn't offer any alternative. I would have switched banks normally, but I'd get so much worse conditions that the phone ultimately costs less. I only installed a prepaid SIM card with no monthly fee in it, otherwise the math wouldn't check out.

They list four options: A code via a TOTP Authenticator app (typically on smartphone, but as mentioned there are less-secure PC options), a code via SMS text messages (not recommended, prone to "SIM-swapping" social-hacking exploits), using a physical security key device (like Windows Hello on PC, or Touch ID/Face ID on Apple), or tapping an "approve login attempt" button in the GitHub smartphone app.

[Graf Zahl]

So you got the choice between shit, crap and puke. I got it.

[Caligari87]

A TOTP authentication app doesn't need internet, it can be completely airgapped. You could use a junk "smartphone" that's been languishing in a drawer for a decade with no sim and no wifi and just disable everything else. Rip out the antenna and sideload the install file via SD card or USB if you want, no app store access needed. There's plenty of open-source options too, not just Google Authenticator.

[dpJudas]

I could also put guards outside the house where the phone is located. Just in case. Security is not an absolute thing - it is a trade off. How important is something to you and how far are you willing to go to protect it. By uploading my software to the cloud I am already compromising on security. The US government now has free access to all my private repositories if they want to take a peek, for example.