General > General Technical Chat

How to bypass GitHub's new 'Enable two-factor authentication'.

<< < (12/14) > >>

Someone:

--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password
--- End quote ---
Better read it again, because Github are the good guys here and NOT forcing that (supporting multiple alternatives).


--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time
--- End quote ---
Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

Shonky:

--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

--- End quote ---
No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.


--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

--- End quote ---
Congratulations on not understanding how 2FA works. Hint: it's the "2".

m12lrpv:

--- Quote from: Shonky on November 01, 2023, 01:25:01 am ---
--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

--- End quote ---
No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

--- End quote ---
Incorrect. Github Only allows one of each type. Don't preach about things you don't understand.

--- Quote from: Shonky on November 01, 2023, 01:25:01 am ---
--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

--- End quote ---
Congratulations on not understanding how 2FA works. Hint: it's the "2".

--- End quote ---
Every 2fa is basically 1fa. You're just one password reset request away from full access once that 2fa key is exposed. Congratulations on not understanding the reality of 2fa.

m12lrpv:

--- Quote from: Someone on November 01, 2023, 12:51:06 am ---
--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password
--- End quote ---
Better read it again, because Github are the good guys here and NOT forcing that (supporting multiple alternatives).

--- End quote ---
The percentage of people using the actually secure instances (like yubikeys)  is so small as to make my statement correct. If github start supplying free yubikeys then I will consider that they're making things more secure. SMS, and apps are less secure than a password known only to one person and never written anywhere


--- Quote from: Someone on November 01, 2023, 12:51:06 am ---
--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time
--- End quote ---
Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

--- End quote ---
That is not true. How do I go to a random computer and log into github? I either have to have an authentication app on my phone or it's number registered for sms, A physical key i'm carrying with me. The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.

Github 2fa options are one each of Authenticator app, sms, security key, github mobile. You cannot have 3 different authenticator apps registered with github for different devices of the same type. Like say my work computer and 2 of my home computers. It's disingenuous to claim github support multiple devices.

Someone:

--- Quote from: m12lrpv on November 01, 2023, 02:33:34 am ---The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.
--- End quote ---
So you want a solution for two factor without adding anything? Have fun with that.

All the synthetic constraints you choose to add (not installing any software on any device, or having a hardware token) are the problem here, not Github.


--- Quote from: m12lrpv on November 01, 2023, 02:33:34 am ---
--- Quote from: Someone on November 01, 2023, 12:51:06 am ---
--- Quote from: m12lrpv on November 01, 2023, 12:00:18 am ---So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time
--- End quote ---
Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

--- End quote ---
That is not true. How do I go to a random computer and log into github?
--- End quote ---
By bringing your choice of second factor along, it can be as (in)secure as you like. One solution is you just remember the secret TOPT setup key, just as you would for a password, or write it down. There are RFC 6238 implementations that do not require install (and some even run in a browser if you really want to avoid "apps") and you can bring the key to them as/when you want.


--- Quote from: m12lrpv on November 01, 2023, 02:33:34 am ---SMS, and apps are less secure than a password known only to one person and never written anywhere
--- End quote ---
two factor, the second factor only adds to the security of the password, it does not subtract from it. You still provide a password. Just to double check I signed out of Github and when signing back in on the same computer/browser/session it asked for a username and both the password and 2fa.

Your cries of doom (without explaining the arbitrary constraints that led you to them) are the sort of mis-information around 2fa which needs to be stomped out. Github are one of the best examples out there and providing excellent options for people to get on board with 2fa

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod