General > General Technical Chat
Stupid Microsoft enforcing 2FA in GitHub
Siwastaja:
People did not fly to Gitlab even when Microsoft stole their code only to sell it, which is actually a criminal offense and in any case orders of magnitude worse than some broken login bullcrap. No one ever got fired buying IBM Microsoft, and if Bill Gates comes to your door asking to suck his dick, most will just do that. Me included, I have not moved anywhere from Github either, but once you think about it, it's pretty crazy to keep using it. And yet that's exactly what we do.
DavidAlfa:
Yeah, it's another thing which started great, got into everyone's daily life, and one they got us all on the hook, bang!
Change it as the ** they want, nobody is going anywhere
Just like Google etc etc.
Buriedcode:
--- Quote from: DavidAlfa on October 26, 2023, 02:56:21 am ---It's ok to add the option, but let people decide the security they need, a really huge percentaje of accounts are doing nothing important.
--- End quote ---
Giving "people" the power to determine the level of a security a system has is a terrible idea. Increased security is almost always the direct result of past failures.
Veteran68:
Umm, no. They won't be "going back" on MFA. Microsoft, as nearly all modern enterprises (including my own employer) are going all in on MFA and passwordless/passkey based tech.
And as was pointed out, trusting people to determine their own security is just a horribly bad idea. Unfortunately, allowing people to choose to be insecure just increases the risk for all of us as well as business such as GitHub in this case. It's not only about getting to your "nothing important" source code. If I can get on the platform using your easy-to-compromise credentials, then I not only can potentially exploit any weaknesses of the platform once I'm in it, but I can do it while impersonating YOU. That should concern you. It sure as hell will concern GitHub.
Best to embrace MFA and other advances in security as a necessary cost of doing business in the new high tech world. It won't be going anywhere, and things could get even more onerous. Honestly, it's pretty painless and straightforward nowadays. I use an authenticator app on my phone every day (every. single. day.) because not only does my employer require MFA, but so do several other service providers or suppliers I work with on a regular basis. Today it's still an option with most, but as you can see with GitHub, it won't be for long.
SiliconWizard:
I'm glad TOTP exists and is a currently accepted method. Hopefully it will keep being that way.
With that, I find using security keys pretty acceptable and better than plain passwords obviously. The downside is that if you lose the key(s), you're screwed up. Yes, there are ways of recovering access - either wth a set of recovery codes (but you need to keep those away from prying eyes and make sure you don't lose them either, so it's kinda shifting the problem), or other methods, most of which will rely on proving your identity in some way, which (at the moment at least) means usually some lost privacy.
So, TOTP+security keys are cool if you make sure not to lose your keys. Otherwise, you are going to lose privacy and will have to disclose some personal information to get access.
As to github itself, there has been a number of good reasons of moving away from it way before this 2FA thing. So IMO if you had to quit github, it should not be because of 2FA.
I personally use github when I'm forced to (as I'm sure many of us), that is if I have to collaborate on a project that is hosted there, which is relatively commonplace in the professional world these days, even outside of pure software; or to report issues/bugs on open-source projects that are mainly hosted there. Otherwise, outside of these cases, I do not have a single project on github.
Navigation
[0] Message Index
[*] Previous page
Go to full version