Github forces 2FA: what if I just not?

[Graf Zahl]

Well put. This kind of "security" is just ridiculous. My main problem with TOTP apps is that for added security they require a password, which of course, for security purposes is not stored anywhere, so with my shitty password memory it needs to be written down on paper so I won't forget - unless that piece of paper accidentally lands in the trash.
It's all a stupid vicious circle that doesn't help me one bit making things more secure - just more annoying

[Caligari87]

... no they don't? I've never had to put in a password for my TOTP app.

I wonder if you're thinking of password managers, which are completely different.

[Graf Zahl]

THe one I tried on Windows wanted to do that. I scrapped it right away.

[Rachael]

https://winauth.github.io/winauth/download.html
Here's the TOTP app that I use, personally, on PC. It doesn't do anything I don't want it to do.

[Talon1024]

I'm not sure if 2FA is actually any more secure than good old 1FA. Someone may be able to "hack your mind" and fool you into logging into one of your accounts, whilst doing nefarious things like stealing your credentials and data on their end. However, if they have data that proves 2FA is significantly more secure than 1FA, it's hard to argue with that.

P.S. I used FreeOTP to set up 2FA with GitHub on my Android phone.

[Caligari87]

Social engineering is the ultimate downfall of all security measures. I don't even factor that in because it can never be mitigated as long as people are dumb.

Proper 2FA is objectively more secure than "1FA" because it provides a dynamic passcode that is always changing and thus can (essentially) never be guessed. Even if someone manages to get your static password by cracking the database, they will be unable to log in without the physical device you're holding in your hand. For the 99.999999% of us who don't live in a spy thriller movie, this means we're pretty darn safe because hackers aren't gonna come to your house and steal your phone (or your password post-its for that matter); they're gonna move on to an easier target.

2FA does admittedly have its various downsides, but just anecdotally: I once wiped my phone without backing up my two dozen 2FA keys. I was still able to get back into all my accounts and re-generate my 2FA keys, because I had properly set up emergency recovery methods. Is it less convenient? Yes. But the minimum bar has gone up, and correcthorsebatterystaple just isn't good enough anymore.

[Blzut3]

If nothing else, 2FA prevents accounts from being hijacked using reused passwords from other data leaks. Other than that, how much security it adds definitely does depend on how securely you handle the 2FA secret, but ultimately the point is to have something you know (your password) and something you have. So no having a passwordless 2FA app isn't going to defeat the purpose. It just increases the likelihood of the secret being compromised, which is where that sliding scale of security comes in.

In regards to everything being published openly so what does it matter? Particularly in the case of languages whose package managers pull source directly from github, it's possible for a hijacked account to lead to people trusting code not from the author they think they're trusting. Before any holier than thou comments about package managers, this is just one example off the top of my head on how an account with only public code could be valuable to an attacker.

[Professor Hastig]

If nothing else, 2FA prevents accounts from being hijacked using reused passwords from other data leaks.

To do that, sending a verification code to the registered email account would be enough, unless both got hacked by the same people.

Other than that, how much security it adds definitely does depend on how securely you handle the 2FA secret, but ultimately the point is to have something you know (your password) and something you have. So no having a passwordless 2FA app isn't going to defeat the purpose. It just increases the likelihood of the secret being compromised, which is where that sliding scale of security comes in.

Here's where the problems start. Sometimes the managers of these sites think that noting below perfect security is enough, no matter how much this inconveniences the legitimate user.

In regards to everything being published openly so what does it matter? Particularly in the case of languages whose package managers pull source directly from github, it's possible for a hijacked account to lead to people trusting code not from the author they think they're trusting. Before any holier than thou comments about package managers, this is just one example off the top of my head on how an account with only public code could be valuable to an attacker.

TBH, any package manager maintainer that doesn't thoroughly check the packages they distribute is a menace all in itself. I do not see this as a prime attack vector (more the opposite here, i.e. not updating packages out of laziness or complacency.) What cannot be discounted, of course, is if some software directly using a repo as a directly linked subproject and not being careful.

[NeuralStunner]

I think this is a given for corporations, but utter overkill for anyone who just wants to tinker about. I want to say it should be up to the repo owner if they want to require 2FA for commit access and/or pull requests.