I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.
Why isn’t password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?
Would like to hear your thoughts about this.
It’s 2023, we are almost already at Passkeys and you skipped TOTP (basically that “Google Authenticator” does) as 2FA?
anyway there are a lot of open source TOTP apps available to choose from like Aegis or if you want to sync it something like Bitwarden (Premium or Vaultwarden)
desktop apps also exist but that would defeat the point probablystay away from proprietary apps and do backups of these TOTP secrets or you’ll absolute will lock you out if you loose your phone somehow
2FA is more secure, and IMHO there’s no need to be upset.
More secure. If my phone is stolen, they have full acces to my mailbox but they will look long and hard at my passworded 2FA app.
It is annoying, especially for those of us who are diligent about our existing factors and unlikely to be compromised, but the sad reality is that most people aren’t that diligent and supply chain attacks are a serious problem that needs addressing.
For your own projects, it might be worth considering a move away from GitHub. (I’ve been thinking about it since Microsoft bought them.) Codeberg looks like a good alternative.
For participating on existing projects, I suppose the silver lining is that they chose standard TOTP, instead of some awful proprietary system. I can use whatever open-source code generator I like.
