this post was submitted on 14 Aug 2023
16 points (100.0% liked)

Free and Open Source Software

17960 readers
32 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn't password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

you are viewing a single comment's thread
view the rest of the comments
[–] RovingFox@infosec.pub 6 points 1 year ago (1 children)

More secure. If my phone is stolen, they have full acces to my mailbox but they will look long and hard at my passworded 2FA app.

[–] DmMacniel@feddit.de 1 points 1 year ago (1 children)

I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?

[–] RovingFox@infosec.pub 3 points 1 year ago* (last edited 1 year ago) (1 children)

If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don't know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.

You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.

[–] DmMacniel@feddit.de 2 points 1 year ago

Huh, okay yeah you made your point and I see it now. Thanks :)