Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…

  • Tramort@programming.dev
    link
    fedilink
    arrow-up
    99
    arrow-down
    1
    ·
    5 months ago

    It’s fine. The added security is huge

    The problem is when they want you to install their TOTP app in order to authenticate (I’m looking at you, steam… fuck off)

  • Scrubbles@poptalk.scrubbles.tech
    link
    fedilink
    English
    arrow-up
    70
    arrow-down
    1
    ·
    5 months ago

    SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you’re issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.

    And this isn’t just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn’t trust.

    • peregus@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      edit-2
      5 months ago

      Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias (SimpleLogin) for every single account! 😆

      • nrbray@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        5 months ago

        same, a simple habit that is secure, I use it always with maximum privacy. One day you will be in a rush, under stress, affected by age, and use your old habits with a valuable asset…

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        5 months ago

        Not if the org uses SMS auth as a recover method for your “lost” password

        Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.

        I generally don’t let my team enter phone numbers into their account data.

        • refalo@programming.dev
          link
          fedilink
          arrow-up
          2
          ·
          5 months ago

          Unfortunately many banks still require it and have no other methods available. I tried to reason with my bank about it but they just do not care.

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Well we could be using passkeys right now if Big Tech weren’t trying to tie them to their own platforms! 🤷

    • ssm@lemmy.sdf.org
      link
      fedilink
      arrow-up
      3
      arrow-down
      9
      ·
      5 months ago

      2FA is for people who don’t know how to use randomized passwords for every site

      • Reddfugee42@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        5 months ago

        Brilliant. Until that website’s unsalted pw database is downloaded through a SQL injection.

        Use both. You’re not smarter than security professionals.

        • kevincox@lemmy.mlM
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          5 months ago
          1. Salt doesn’t matter if your password is unique.
          2. If they can download data via SQL injection having them log in probably doesn’t matter that much.
          3. If they can dump your password/hash they can likely also dump the TOTP secret.
          4. A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.

          So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.

          So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.

      • Miaou@jlai.lu
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        The day your machine is compromised is also the day ALL your passwords get stolen.

      • helenslunch@feddit.nl
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        It doesn’t matter how random or secure your password is, it can still be compromised.

        2FA increases security and costs nothing in return.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        16
        arrow-down
        3
        ·
        5 months ago

        Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s

        • Zeroxxx@lemmy.id
          link
          fedilink
          arrow-up
          3
          arrow-down
          6
          ·
          5 months ago

          Even in my bank’s ATM there’s only one password, not 2FA. 2FA is 2 factor auth, there’s no 2FA in the ATMs.

          It doesn’t mean the initial password isn’t a layer of authentication, but strictly speaking where I live all ATMs do not employ 2FA.

          • vvv@programming.dev
            link
            fedilink
            arrow-up
            7
            arrow-down
            1
            ·
            5 months ago

            The two factors at an ATM are possession of your bank card + knowledge of your pin. (it also takes your photo, for good measure)

            GitHub will happily accept a smart card or whatever, if an extra plastic rectangle jives with you more than an OTP generator.

              • Reddfugee42@lemmy.world
                link
                fedilink
                arrow-up
                3
                ·
                5 months ago

                “Something you have” is absolutely not equivalent to “something you know”

                You are completely unable to enter this conversation, but you think you’re the smartest one in the room.

                I bet you’re insufferable.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      Also OTPclient on desktop, it can work directly with an Aegis encrypted export file. You enter the decrypt password when you open the app and it can auto-lock after a specified interval.

      • Kess8a@lemy.lol
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Is there something similar for windows? I check the github page & there doesn’t seem to be a package for windows. I could try to compile it from source but that a lot of libraries I have to get…

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          If you’re willing to work with unencrypted exports I think tauthy can import unencrypted Aegis JSON format.

          Also, what Aegis exports as “text format” is a standard format of sorts that consists in lines of otpauth:// URLs. There are lots of apps that can import that format, but please note that you lose some extra information from Aegis when you export in that format. Shouldn’t be a problem if you just want to be able to generate codes on desktop.

    • StorageB@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Aegis looks great - I’ll give this a shot. Thanks for the recommendation!

    • kevincox@lemmy.mlM
      link
      fedilink
      arrow-up
      3
      ·
      5 months ago

      Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn’t need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.

    • kevincox@lemmy.mlM
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      The problem with Yubikey is that it doesn’t have a good enough management story for broad use. I do use it for a few core sites (like GitHub) but if I lose a key I need to get a replacement and register that replacement with every site I have set up U2F 2FA on. This is ok with a few core accounts but doesn’t scale to the hundreds of sites that I have an account with. I am sure to miss a few and then either I can’t log in with the new key or get completely locked out when I lose that key and get a second replacement.

    • Tibi@discuss.tchncs.de
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      5 months ago

      Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file

  • Jayjader@jlai.lu
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    5 months ago

    I already use pass (“the unix password manager”) and there’s a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otp

    Worth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let’s me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.

    • vvv@programming.dev
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      5 months ago

      Your two factors shift to possession of your password vault + knowledge of the password to it. You’re okay IMO.

      You also still get the anti-replay benefits of the OTPs, though that might be a bit moot with TLS everywhere.

      • Jayjader@jlai.lu
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        You’re right, I should have been more specific.

        If you’re already storing your password using pass, you aren’t getting 3 factors with pass-otp unless you store the otp generation into a separate store.

        For services like GitHub that mandate using an otp, it’s convenient without being an effective loss of 2fa to store everything together.

  • Billegh@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    5 months ago

    It’s fine. I moved to gitlab years ago for 2fa, so while this doesn’t affect me I would be entirely ok with normal 2fa.

    It is normal, right? Not a weird Microsoft 2fa requiring their app?

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    12
    arrow-down
    2
    ·
    5 months ago

    Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.

    But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.

    • fuzzzerd@programming.dev
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      5 months ago

      Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other “valuable” open source projects. To pretend nothing of value is built there is putting your head in the sand.

      If you’re developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        5 months ago

        Not /s

        It is long past the time to move on. We don’t like the ads, gamified/corporate-friendly social media aspects, & enshitification of the web (which is why we are an Lemmy not Reddit), so why would we want that same platform for our code?

        Also Lemmy has every interest in moving as soon as ForgeFed is finalized & merged into a forge the can host since they want the same decentralized values for their forge as their forum/link aggregator platform and have publicly acknowledged it is a problem.

        Your projects should follow that example, if not your current projects at least future ones. These megacorporation are not our friends.

  • Dymonika@beehaw.org
    link
    fedilink
    arrow-up
    10
    ·
    5 months ago

    I don’t love the idea of having an authenticator app installed on my phone

    For anything? Why not? Surely you don’t believe SMS-based TOTP is safer, right?

  • Kelly@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    5 months ago

    I generate a TOTP with my password manager, it stores all my other login details and keeps it simple.

    • Voroxpete@sh.itjust.works
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      5 months ago

      That seems like it defeats the “2” part of 2FA. If your password manager is compromised the attackers now how complete access.

      • Kelly@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        5 months ago

        Technically true.

        You are right, having the password in the same vault does mean that if the vault itself is compromised they have both. Guess I could move the TOTP to a separate authenticator app but the only other apps I have a mobile only and there are times I need to login without having hands on my phone.

        I guess the time based aspect of the TOTP makes it a little more resistant to having someone monitor my keystrokes or clipboard or whatever and capture a relatively long lived secret like my password. So I guess its a comprise I’m willing to make.

      • Scrubbles@poptalk.scrubbles.tech
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        5 months ago

        That’s minimal to me. I chose 1password for this exact reason, read all of their technical docs.

        1password uses encryption with a 2-part key, your password and your “Secret key” which is essentially a salt. Combining those two, they encrypt your entire storage blob and store it. They’re very clear that there is no backdoor, there it is encrypted using your keys, and they do not store those keys anywhere - and that if you lose your keys you’re out. There are zero recovery options. Which I love. (Which means I do not recommend it to non tech folks who will probably lose one of these keys)

        So the secret key is similar to a guid, can have that written down somewhere, and your password should never be written down anywhere, and be completely unique. Doing those two things, I feel confident that keeping my 2FA in my most secure area is safe. There is minimal chance that someone is able to log in remotely to my 1password, even if they got my key, my password isn’t written down.

        The convenience of this is x1000, while the risk to me is negligible. It’s why when I worked in fintech it was the manager of choice, and I recommend it for secrets in kubernetes. Until they prove me wrong, security is truly number one with them.

        • Voroxpete@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          5 months ago

          I love 1Password, they’re great (I personally use Bitwarden for my passwords, but would happily recommend either of them). But by putting both your authenticator codes and your passwords in the same place, you now have a single point of failure. What happens if someone finds an exploit in 1Password that gives them access to your account? The whole point of 2FA is to not have a single point of failure.

          • Scrubbles@poptalk.scrubbles.tech
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            I’ll happily take that chance for the convenience. Even if 1password leaks, they don’t have the keys to my vault. They would need my key and password to unlock it. The only time that isn’t needed is if it’s unlocked, which only is on my linux computer, which means they need to find an exploit with their app. In the 7 years I’ve used them I’ve never even heard a wiff of something even small happening.

        • Voroxpete@sh.itjust.works
          link
          fedilink
          arrow-up
          3
          ·
          5 months ago

          That’s still a single point of failure. What happens if someone finds an exploit that bypasses the login process entirely?

          • hedgehog@ttrpg.network
            link
            fedilink
            arrow-up
            2
            ·
            5 months ago

            That’s still a single point of failure.

            So is TLS or the compromise of a major root certificate authority, and those have no bearing on whether an approach qualifies as using 2FA.

            The question is “How vulnerable is your authentication approach to attack?” If an approach is especially vulnerable, like using SMS or push notifications (where you tap to confirm vs receiving a code that you enter in the app) for 2FA, then it should be discouraged. So the question becomes “Is storing your TOTP secrets in your password manager an especially vulnerable approach to authentication?” I don’t believe it is, and further, I don’t believe it’s any more vulnerable than using a separate app on your mobile device (which is the generally recommended alternative).

            What happens if someone finds an exploit that bypasses the login process entirely?

            Then they get a copy of your encrypted vault. If your vault password is weak, they’ll be able to crack it and get access to everything. This is a great argument for making sure you have a good vault password, but there are a lot of great arguments for that.

            Or do you mean that they get access to your logged in vault by compromising your device? That’s the most likely worst case scenario, and in such a scenario:

            • all of your logged in accounts can be compromised by stealing your sessions
            • even if you use a different app for your 2FA, those TOTP secrets and passkeys can be stolen - they have to be on a different device
            • you’re also likely to be subject to a ransomware attack

            In other words, your only accounts that are not vulnerable in this situation solely because their TOTP secret is on a different device are the ones you don’t use on that device in the first place. This is mostly relevant if your computer is compromised - if your phone is compromised, then it doesn’t matter that you use a separate password manager and authenticator app.

            If you use an account on your computer, since it can be compromised without having the credentials on device, you might as well have the credentials on device. If you’re concerned about the device being compromised and want to protect an account that you don’t use on that device, then you can store the credentials in a different vault that isn’t stored on your device.

            Even more common, though? MITM phishing attacks. If your password manager verifies the url, fills the password, and fills your TOTP, then that can help against those. Start using a different device and those protections fall away. If your vault has been compromised and your passwords are known to an attacker, but they don’t have your TOTP secrets, you’re at higher risk of erroneously entering them into a phishing site.

            Either approach (same app vs different app) has trade-offs and both approaches are vulnerable to different sorts of attacks. It doesn’t make sense to say that one counts as 2FA but the other doesn’t. They’re differently resilient - that’s it. Consider your individual threat model and one may be a better option than the other.

            That said, if you’re concerned about the resiliency of your 2FA approach, then look into using dedicated security keys. U2F / WebAuthn both give better phishing resistance than a browser extension filling a password or TOTP can, and having the private key inaccessible can help mitigate device compromise concerns.

            • privatizetwiddle@lemmy.sdf.org
              link
              fedilink
              arrow-up
              2
              ·
              5 months ago

              That’s still a single point of failure. What happens if someone finds an exploit that bypasses the login process entirely?

              I read this as someone bypassing the GitHub login entirely. Good luck 2FAing your way out of that one! 😜