On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Read on to learn about what the process entails and how you can help secure the software supply chain with 2FA.
Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”
At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2 years weeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.
Bitwarden has 2FA (for paid tier, like $10/year). I don’t consider it “real” 2FA, but it’s more secure than just a password, and super quick to copy code using browser addon. Useful for certain sites, that don’t stay logged in, require every time, etc.
deleted by creator
Too many people were making poor choices. When there’s an incident of an account that should have been secured but wasn’t getting compromised, that’s bad for the platform, ecosystem, and community. This is just another level beyond not allowing you to set a password of “password”
Probably just someone at Microsoft trying to get promoted.
Yep. If people care about supply chain attacks or so, just add features that allow only commits from accounts with 2FA to certain repositories.
Just use a YubiKey and keep it plugged in
At least you should be able to use your local password manager as well if you don’t care about keeping your 2fa on separate hardware. KeePass 2, KeePassXC, Bitwarden, …
Github supports totp and Bitwarden, at least, can store that.
they want your phone number so they can track you.
Better to use an authentication app. SMS can be intercepted.
how would they track you?
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
me giving, let’s say, twitch my phone number gives them exactly 0 ways of tracking me in any way whatsoever
Source: worked for a mobile company
I can hear the tinfoil hat from here
That’s a pretty absurd take in 2023. Tracking and surveillance is rampant these days.
First part is not quite true, varies by country.
Second part is full on Olympic mental gymnastics
yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2
yearsweeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.Organizations can already require 2FA for members of the org. We already had the tools.
Bitwarden has 2FA (for paid tier, like $10/year). I don’t consider it “real” 2FA, but it’s more secure than just a password, and super quick to copy code using browser addon. Useful for certain sites, that don’t stay logged in, require every time, etc.