forced 2FA?!?

[bigsupersquid]

I know my opinion matters not to the almighty Micro$oft who now owns Github.
I am still registering a complaint even though it will never make any difference.
I am extremely unhappy that the system now requires 2 factor authentication for my account.
I will never /voluntarily/ use 2FA, but in this case I am given no control over the situation. my only option while still allowing others to share the code bases I've put up here over the last decade+ would be to export all my repositories to a more "freedom" oriented platform. but I'm not aware of one. Gitlab has gone to paid-only access except for viewing some time ago, so they're right out.
My complaint is that nobody should be /forced/ to use 2FA to sign in. it sucks and is not necessary for many of us.
this isn't a spy agency (at least hopefully not), it isn't openly owned by the War Department (renamed as the DoD after WWII) or any other government platform, and I am not employed by a corporation with security protocols. if I was in any of those security-mandated situations I wouldn't have public repositories anyway.
boo, hiss. I gave out my long-standing VOIP SMS number for this unwanted requirement just because I have no choice (I'm certainly not going to allow another third party vendor to "secure" my logins and I am not going to install the github app just to be able to sign in.)
complaint registered, now go ahead and flame me for my distaste of additional security requirements to sign in on my publicly accessible repositories if you see fit... I'll ignore it.

[eleksir]

WHY, that annoying and useless 2fa forced?
Please, don't torture us with your pseudo-security.

Who want to hack - will hack accounts and this freak-show-security-uber-measures will not stop 'em. They just smile and say "we'll enter through another open door".

Why do you make suffer innocent users with this circus measures? Its not funny. Stop it. Please.

[ipsilon927]

Just give us a choice: to use, or not, be more polite and tolerate.

[pchg]

Exactly.

[aelnosu]

Try google voice :)

[eleksir]

Try not to clowning here, its serious discussion.

[VIPLightning]

The moment Github tells me that I'm no longer allowed to access my data because of 2FA is the moment I hold my middle finger high and set my focus to Codeberg and Sourceforge. I got my stuff migrated there and strongly recommend others to do the same if they value whatever freedom they have left before their accounts are locked. It's 2 days left for me.

[kcozens]

Thanks for the reminder about Sourceforge. I took over maintenance of a project hosted over there some years ago so I do have an SF account. I will look at moving my projects to that site.

[j00ch]

I'm quitting Github because of this. F M$

[pchg]

Yes, so do I.

[kcozens]

I don't like the idea of being forced to use 2fa. Any current day "app" is usually not compatible with the Android tablet I have. The alternative is to use some 3rd party OTP system of unknown origins. It doesn't feel like a safe thing to do. I don't know what 3rd party OTP program would be safe to use and not turn out to be one that secretly records information that could be used by someone else to access my account. I think I will need to mark my projects as being in an archive state and move the active repositories to some other site. On the set up page for 2FA one of the alternatives methods for 2fa is to send SMS messages. I don't have a cell phone so that method is useless to me. What about something simple such as SSH keys to access our accounts as are used when pushing code changes?

[OlinLathrop]

I agree. This is just more annoying nannyware! My security is my business. GitHub isn't my bank where I'm willing to put up with security hassles due the consequences of a break-in being serious. I'm perfectly fine with the level of security I get with just a username and password. More security isn't worth more inconvenience to me. That should be MY call to make!

GitHub, get off your high horse and stop imposing your holier-than-though views on us!

[PauloDC]

It is worse. It creates a SINGLE POINT OF FAILURE which is an error that even MS makes (did anyone tried to configure Win11 without an Internet connection?).
Not everyone in the world has a specific working mobile device when they login. I travel internationally quite frequently. I have different mobile devices to cover when I am out of area of one device. Sometimes I don't have a cellphone coverage where I am.

[pchg]

Yes, I totally understand. I often stay months and months working in remote places where Internet is just a dream. Or the only Internet connection you get is a super-expensive satellite with a bandwidth worse than a 33.6K modem from the 90's...

[bigsupersquid]

well, when I posted my initial gripe, I wasn't actively doing any coding, just starring or forking repos through the web gui. so I didn't realize the 2FA was just the top crust on the Unwanted Security Pie until last week when I tried to push a forked repo after making changes.
M$ also now forces either SSH access or setting up a crazy-long raw text "token" for login when you git push.
disgusting. I have to locally save a blasphemously oversized text string locally, open it on demand, and copy it out, just to sync my own code up to github? or switch my push-pull tactics to ssh, which is fine for those who /want/ security, and admittedly easier in the short run to work around M$ BS, but nobody should be forced into that for public repos.

[mohamedrsamy]

I would like to opt out of 2FA

[kcozens]

I found I was able to set up 2fa using TOTP. However, having done that when it challenges me it no longer shows me the code I need to put in to my TOTP program so I can get the code to respond to the challenge. What is worse is that once you have set up 2fa you can't remove or disable it.

[jholman-bcit]

I am also inclined to move my classes off of GitHub Classroom to avoid 2FA.

I think that the Github general philosophy around 2FA is understandable, all this "securing the supply chain" thing makes sense. Maybe, I dunno. I understand that security software is a hard problem, and socially important, and okay maybe it's the right thing to force in some circumstances, or to very strongly pressure, or something.

But my code is all personal, or for giving to my students via Github Classroom. If 2FA creates a single hitch in my teaching, I'm going to stop teaching students to use GitHub, simple as that. And if you force my personal account, I'll migrate that too, I guess.

I guess I only teach about 200 students per year, so the impact isn't that large for GitHub.

[mohamedrsamy]

I disagree on securing the suppl6 chain making sense, it sounds like corpoeate bs packaged to sound logical by a bunch of marketing people. Software security comes from testing it, not this imaginary supply chain idea. People introduce vulnerabilities they are unaware of all the time. It sounds like an initiative some exec with a fake job came up with.

…

On Sun, Jan 21, 2024, 4:48 PM jholman-bcit ***@***.***> wrote: I am also inclined to move my classes off of GitHub Classroom to avoid 2FA. I think that the Github general philosophy around 2FA is understandable, all this "securing the supply chain" thing makes sense. Maybe, I dunno. I understand that security software is a hard problem, and socially important, and okay maybe it's the right thing to force in some circumstances, or to very strongly pressure, or something. But my code is all personal, or for giving to my students via Github Classroom. If 2FA creates a single hitch in my teaching, I'm going to stop teaching students to use GitHub, simple as that. And if you force my personal account, I'll migrate that too, I guess. I guess I only teach about 200 students per year, so the impact isn't that large for GitHub. — Reply to this email directly, view it on GitHub <#78992 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD2R3QS2H3J4OD7YUPJATMLYPWLK5AVCNFSM6AAAAABATO6R7SVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DEMBSGM2TG> . You are receiving this because you commented.Message ID: ***@***.***>

[GarthWilson]

Are the people who run github even listening?  I cannot find any way to reach them, nor do I see any evidence that they read what's on the community discussions.  I just got an email saying you can choose one or more of the following options:

• Security key
• GitHub Mobile
• Authenticator application (TOTP)
• Text messages (SMS)

None of those options are acceptable.  I do not, and will not, use a smartphone or "mobile device" for several reasons.  I only access github (or anything else on the internet) with my desktop PC (or on rare occasion, my laptop), and I use Ubuntu Linux, and I have tried various software titles in the software center for TOTP that don't require a smartphone, and they don't launch.  They don't run.  I also will not use any Google or MS software, nor will I buy anything.  I will accept github emailing me a one-time-use key to copy and paste into the login, or a landline phone call with such a number.  Otherwise I'm done with github.  From what I'm reading, it seems like there will be enough other people who also give up github to make those who run github relent and quit requiring this nonsense.  Are you listening, github?

[zzo38]

There is two things to be secured. For securing commits and releases and supply chain, signed commits and signed releases (which are already possible) is better, instead of having to trust third parties (such as GitHub) to do it for you. The other thing is secure authentication to GitHub itself; for that, X.509 client certificates would be more secure and doesn't need JavaScripts and doesn't need a web browser and has other advantages. Since the private key for the X.509 certificate may be passworded, this means that it already provides a kind of 2FA as well, and is better than using TOTP or other stuff like that.

Anyways, when trying to set up 2FA, it seems to get stuck in a infinite loop and won't work!!!

[tx2x]

Even though I perfectly understand everyone who is dissatisfied with this innovation, I consider it beneficial for the entire internet at this stage of the network's development.

App-based authentication (TOTP) is a simple and quite effective way to cut off the lion's share of unauthorized accesses.

The beauty of TOTP lies in the fact that you are not tied to any specific application. I use it with KeePassXC, which has no network access, and everything works perfectly. When I add some new entries, I simply manually back up the password database to external storage, and I also upload additionally encrypted archives to the cloud if I wish.

[bigsupersquid]

it's lovely for you that you can appreciate the 2FA.
my issues aren't about the technicalities of multiplicity of ways to comply with the second step, it's that we don't get a choice to opt out.
my repos for example aren't anything that /need/ to be protected should some bad actor decide to compromise the password access. and I don't desire the extra security any more than I need it. instead I despise the requirement being mandatory.

[Da1sypetals]

Totally agree.
I am fine with my account at the safety level of only username+password.
I DO NOT NEED extra safety for my account, let alone sacrificing convenience for it.
If one day my account got hacked and all of my repos get deleted, I'm totaly fine with it. I just sign up for another account.
Github just force everyone into "safety" and I do not get a choice.

[strangerwhoisharborofdoom]

While I understand your frustration, GitHub's mandatory 2FA requirement is actually a positive security measure. Here's why and how to work with it:

Why GitHub Enforces 2FA:

1. Account Protection - Prevents unauthorized access even if your password is compromised
2. Industry Standard - Major platforms (Google, Microsoft, Apple) require 2FA for sensitive services
3. Paid Account Protection - GitHub wants to protect paying customers from account takeovers
4. Your Code Security - Your repositories and deployment keys are critical infrastructure

2FA Methods GitHub Supports:

1. Authenticator Apps (Recommended)

   • Google Authenticator, Microsoft Authenticator, Authy (works offline)
   • Generate codes on your phone when needed
   • Most reliable option for remote work

2. SMS/Text Messages (if you have coverage)

   • Receive codes via SMS
   • Less reliable internationally
   • Works without internet

3. WebAuthn/Hardware Security Keys

   • USB keys (YubiKey, Google Titan)
   • Most secure method
   • Works without passwords

4. Backup Codes

   • Save these in a secure location
   • Use when you lose access to primary 2FA method

Working Around Limited Connectivity:

• SSH Keys + 2FA - Use SSH for git operations (doesn't require 2FA every time)
• Personal Access Tokens - Generate tokens for CI/CD pipelines
• Backup Codes - Save offline for emergencies
• GitHub CLI - Use for scripting with saved credentials

For Developers with Multiple Devices:

• Use authenticator apps that sync (Authy)
• Or use WebAuthn keys (one key works for all devices)
• Keep backup codes in secure storage

The inconvenience is temporary, but the security benefit is permanent. Once set up, you rarely notice it.

[Da1sypetals]

AI generated slop is taking over Github.