Mandatory GitHub 2FA is a bad idea.

[hexaheximal]

Select Topic Area

Product Feedback

Body

Mandatory 2FA is a bad idea. Please reconsider that decision.

SMS-based 2FA is so bad that I don't even know why GitHub supports it. This change is going to result in a lot of people being made vulnerable to a SIM swap attack.

Additionally, the authenticator apps GitHub gives as examples are all proprietary - none of them are free (as in freedom) software.

I don't like GitHub itself being nonfree, and I REALLY don't like them pushing nonfree native apps.

I use CSRNG-generated website-specific passwords that are only ever stored locally. TOTP has no security benefit since an attacker would be on the same machine anyways.

Using FIDO2 security keys is the only right way to do 2FA, but GitHub currently doesn't even support it. (EDIT: it appears that GitHub does support it after all, hmm...)

Also keep in mind that Mojang, which is also owned by Microsoft, did something similar (except in that case it was even worse since they are forcing you to have a Microsoft account) with the reason being security - it's pretty clear that was nothing more than an excuse, and the real reason is to tie products and make more money.

This annoyance is what has caused me to finally migrate off of GitHub. I'm moving all of my projects to codeberg and I'm probably going to delete them from GitHub so they can't get a higher SEO ranking for my projects.

By the way, I've posted about this on the fediverse too: https://mastodon.social/@hexaheximal/110890236595013160

[ghost]

I'm a hobby game programmer, I've deleted all my repos and will abandon the platform over this.
They should've made it an opt-in feature for profiles that care about security.
With Micro$oft at the helm it's not that surprising however.

[jbruchon]

Well that's, like, your opinion man.

Go ahead and make the case for forced 2FA. Don't give us this crap where you go "what's the big deal?" Plenty of people have expressed why it is a big deal for them. You have made no valid arguments for why we should be forced to use 2FA. Remember we're not talking about making it available we're talking about forcing it on people without their consent.

[aboood40091]

They can still implement those security measures. All they have to do is set the lowest 2FA bar (which is almost nothing btw) and keep doing what they were doing before.

Guess what? They are raising that bar now and we're required to have at least 3 forms of 2FA set up.

[doncatnip]

I'm going to be honest most of these posts come off incredibly petulant. I'll be the first to say it: I'm still gonna use GitHub. Y'all have fun 👋

Reasons:

• 2FA should basically be a minimum requirement for any service where the users data could be of any consequence whatsoever. Given that Github stores what for many people amounts to years of painstaking career effort, I would say it qualifies.
• Github supported many options of 2FA right out the gate, not all of which require a phone, not all of which require you to trust authentication handling to a "corporation" or a national security apparatus
• 2FA is for the benefit of average users, if you are the type of person to care so deeply about 2FA chances are you are technologically literate enough to figure out which kind of 2FA doesn't compromise whatever random cyber security values you are concerned about
• 2FA does not prevent all kinds of attacks, and some 2FA are better than others, but I will tell you now -- for MOST people (people who put in normal passwords not cryptographically generated ones) literally ANY 2FA is a damn sight better than nothing at all.

Its just not that deep fellas.

I will decide whats good for me, not Microsoft. I'll leave this platform as well.

[basedwon]

I find it's possible to setup TOTP 2FA with Python one-liner... (relying "pyotp")     Entirely security theater:     python -c "import pyotp; print( pyotp.TOTP( 'password' ).now() );"

    Maybe I shall further simplify it as just JavaScript bookmarklet..? (dropping all dependencies)

I'd be very interested in that js bookmarklet

[ldez]

Using FIDO2 security keys is the only right way to do 2FA, but GitHub currently doesn't even support it.

This is not true: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key

I use a Yubikey-based secured key (WebAuthn compatible security key) and it works well.

You just have to go to https://github.com/settings/security and set up your security key.

Additionally, the authenticator apps GitHub gives as examples are all proprietary - none of them are free (as in freedom) software.

I don't like GitHub itself being nonfree, and I REALLY don't like them pushing nonfree native apps.

For TOTP you can use KeypassXC which is free and open source and works offline.
Any RFC6238 compliant implementation will work.

If the problem is the GitHub suggestions, I think GitHub can improve that easily.

[ldez]

Interesting. It appears that you can only set it up after setting up authenticator-based 2FA though - that definitely sounds like a move to discourage people from doing it

I think it's more related to the fact that if you lose your secured key (because you don't have 2 as recommended) your account will be completely stuck.

Secured keys are expensive (at least Yubikey is), so I can understand people that only have one (but I have 2 keys).

Maybe this will change in the future, I don't know what GitHub plans or think.

[hackerb9]

@ldez Looks like they heard your complaint. I was able to register my FIDO2 keys without the app. However, at the end the only option to finish is to click a button to download ten One Time Passwords to the local computer.

[ldez]

I never complained about that.
I just tried to provide an explanation about GitHub and 2FA.
But it's a good news.

[SkybuckFlying]

Will KeyypassXC app be constantly needed to login ? talk about bloatware !

[ghost]

Your decision to move your projects to Codeberg and voice your concerns on the fediverse is a valid way to express your preferences and concerns about GitHub's policies. Open source and community-driven platforms like Codeberg provide an alternative for those who value specific principles and features.

Gitlab.com is also much better in such aspects.

In developer community you can meet guys who has absolutely different experience and skills, including professionals and each one decide himself how to secure his account. Github should provide tools and may only recommend but not make so much pressure. Thank you, but - no! Fck u Nvidia, fck u GitHub.

[JeanPaulLucien]

Obligatory 2FA is very bad idea. I don't want to spend my time for 2FA. I'm not going to spend my time to touch a mobile phone to read messages.

[hackerb9]

Using FIDO2 security keys is the only right way to do 2FA, but GitHub currently doesn't even support it. (EDIT: it appears that GitHub does support it after all, hmm...)

I was able to use my Solokeys, which are Free as in Freedom. But, it was more of a pain than necessary because Github kept prompting me to set a PIN. I do not use Microsoft Windows, so I do not need a PIN on my 2FA keys. I had to work around it by setting security.webauthn.ctap2 to False in Firefox's advanced preferences (about:config) .

To people who are considering deleting their accounts here: Please don't. Please instead mark the repository as archival with a link to your new home. Thanks!

[ghost]

Github(Microsoft) uses your repos to train their co-pilot AI, by deleting my repos I'm ensuring they can't use my work while running me off their platform.

[patgauvingeek]

You wish ! I'm pretty sure you can delete every repository one by one (or your account even) and they are actually just moving the whole thing somewhere else where they can still train AI on it.

[ghost]

You repo is public? MS will create own hidden fork and continue to train. Your repo in public domain anybody can visit, copy, view it and FORK. So it will not help... You can try use GDPR for that if you are EU citizen. But I am not sure if that will work enough well.

[kfkaplan]

Completely agree. This is a horrible idea PLEASE reconsider github. Phone breaks, gets stolen, or you are in another country without cell service, and all of a sudden you are unable to access anything.

[PiKeyAr]

Today I got a notification about enforced 2FA on GitHub. Microsoft threatens to lock me out of all my work if I don't enable 2FA by October. If this decision is not reversed, I will be deleting all my repos and abandoning this platform in the near future.

[hackerb9]

@PiKeyAr You're right to be angry at Microsoft, but please don't delete your repos. Mark them as read-only archives with a link redirecting visitors to whatever new site you go to. If you want, leave a permanent middle-finger to Microsoft at the top of your READMEs, but don't let Microsoft win by simply vanishing without a trace.

[aboood40091]

@PiKeyAr You're right to be angry at Microsoft, but please don't delete your repos. Mark them as read-only archives with a link redirecting visitors to whatever new site you go to. If you want, leave a permanent middle-finger to Microsoft at the top of your READMEs, but don't let Microsoft win by simply vanishing without a trace.

?? It's not Microsoft who wins if the dude's "simply vanishing without a trace."

[corwinn]

"2FA is significantly more secure"
The ^ is a popular fallacy, in my POV:
var recovery_codes // previously named "password" but this time its "our_password_you_cant_change_but_we_wont_misuse_we_promise_oh_wait"
Besides someone could "ruin your life" by just "breaking" your smartphone, accidentally of course ... now lets see people_that_can_break_your_smartphone_accidentally vs. people_that_can_____your_password - tough that.

"2FA" is more control - it is as simple as that; this is how their mandatory "2fa" sounds to me: "you should have smartphones or you're not good enough for our service" - a certain sentence towards a certain machine at the end of the movie "Oblivion" comes to mind; my POV.

Also, imagine the bonus pressure on all employees who have to maintain "2fa" phone(s).

Anyways, its part of their contract: they can do whatever they like whenever they want; their service - their rules. What was promised was given - a choice was taken away. Yay "2fa"!

[hackerb9]

Hey @corwinn, I get your healthy skepticism, but after looking into how it works, 2FA actually is much better security. But, better security isn't always better: think of a server which is unplugged, welded shut in an iron box, and buried underground. It's very secure, but there's clearly a cost. In the past those of us at high-risk of phishing could choose to turn on 2FA. But there's the keyword: choose. By making it mandatory, Microsoft has taken away our choice about whether the tradeoff is worth it. We are not Microsoft employees.

What's especially bad is that this 2FA rollout campaign has made it seem like the only option is to use your cellphone. The tradeoff in privacy is not worth the security benefit to me. I was pretty pissed before I found a workaround: pretty much any site where 2FA is required, you can use anonymous FIDO2 USB keys and not give up any personal information.

I'm not saying people should stay on GitHub. Heck, I don't know if I'll stay even though I've got my anonymous 2FA registered. I just want people to know that they have the choice.

[corwinn]

Thank you. I figured out I can "stay" w/o a smartphone. I'm afraid it isn't a black/white situation. There is no right decision on my side from their POV: they've calculated the possible loss of users/code ( also known as "product" in this use-case :) ).

In my POV, the way to preserve FOSS (in case you're acting with that thesis in mind) is to create a better "github" free of corporate influence. IMHO "Microsoft" has no interest at destroying this code-base however.

As in one of my favorite movies: this is a "test" whether I belong to the "github" faction :); well, when "Microsoft" says "jump" - I respond with "Watch "Oblivion"" :). Also, let me ask you something: what will they enforce next?
I grew up in a communist-regime country where I lot of things were enforced for our (society) "security" - actually everything was enforced; its like a de-ja-vu here. A walled garden is a lie.

The security of this site can be greatly improved by educating people about it. On register, let the new user pass a test about security; if she fails, do recommend to her to study the topic, then come back; there is no need to require learning 20 mathematics.

Either this "MFA" is what they say it is, and it will stay forever; or the loss of user/code due to "MFA" will overwhelm its "usefulness". Its most "strong" argument isn't an argument at all: n+1 MFA will be n+1 times more secure - why not using that - why one?! The future will show (although I watched HTML being turned into a desktop application at the cost of a 1000% efficiency loss, so I'm unsure what will be shown).

[hungLink]

I don't have an android or iOS device (Librem 5 for the curious)

I use password store (pass) for my password management, and it has an OTP extension. If you're a windows user this may not work.

I got all my stuff working without too much hassle.

[softworkz]

I have no doubt that this is coming from Microsoft.

They always envied Google for their abundant amount of user data, but could never get even close with all the failed Bing iterations. But they are learning from Google who have perfectioned their ways of asking for user consent to process their data right in the moment (of setup or configuration wizards) when users' interest and will for dealing with the subject of those consents is down to a minimum.
They also learned that it's a very successful pattern to put and present this in a context which is supposed to improve and increase user security and privacy. The only difference is that Google still does it in a more subtle and elegant way.
One of the big problems in data mining is that nowadays, many users have multiple e-mail addresses and that ruins statistics severely, because browsers have made it more and more difficult to identify client machines/browsers by fingerprinting techniques and similar means. (which would allow to relate a user's accounts to each other).

And so, the big players came to the ingenious idea to require mobile phone verification for registration of accounts and using services. It's a clear and simple way to make users more identifiable: while users often have multiple e-mail addresses, they rarely have multiple phone numbers.

And what's the most convincing rationale for why this would be required?

=> Just like Google does it all the time: Tell that this is crucial and important for the user's safety and account security.
=> Make it look as if it would be purely accidental that all supported 2FA methods don't provide anonymity
=> Just much later add one more method which could possibly provide anonymity, but call it a beta and keep it difficult in both, usage and documentation, just enough to silence critics, while also knowing that the majority won't every use it.

Bravo, Microsoft! You learned a lot from Google.

But it's still unacceptable.

[ghost]

Google also does the shit. I just lost access to one of my mailboxes ))) Because Google decided that someone stolen my password and tried to authenticate from another geographical region.

Such "games" never ended by happy end for users.

[softworkz]

Hey user!

Give us

• your phone number
• your address
• your mother's maiden name
• all your account balances
• or better: let us install our app on your phone, so we can not only relate your phone number to your GitHub account, but we can also relate your Google account on the phone AND your phone number to your GitHub account as a double-strike

Remember user, it's just for your own sake, this will tremendously increase your security and we are just forcing it upon you because we only want to do you good!

[ghost]

Guess I'll have to say "bye bye" on oct 12.

[softworkz]

Hey User!

Give us access (or number) to your smartphone! Otherwise we will delete all your data.

github.com

[jmcunx]

The only option that would work for on 2FA os SMS to my Cell, but I never give out the Cell Number. Can this requirement be rethought or can an option be added to send an email to the email address linked to my account.

If not, I will also need to stop using github. I have been investigating some alternatives and I already copied my projects to one of those places to see if it works for me.

[hackerb9]

I doubt Microsoft is going to rethink it, but there is another option than giving out your cell number. You can buy a FIDO2 USB key for anonymous 2FA. (See my comment below).

[hungLink]

I use password store (pass) for my password management, and it has an OTP extension. If you're a windows user this may not work.

I got all my stuff working without too much hassle.

[softworkz]

This is ridiculous in so many ways (not 2FA per-se, but: 1. the forcing and 2. the available options and 3. the context).

By "context", I mean the fact that the token-based authentication for build automation or application access does not change. A major advantage of tokens (like PAT) is the ability to segment access by permission and by target usage, but besides that (and expiration), this is not much better than a login with username and (strong) password.

Neither Visual Studio nor my other Git application are caring about segmentation. Maybe it's possible in some way, but by default, they are setting up a token with full access rights. when you go through the process.

The outcome of this would be that Visual Studio and other Git applications are able to log on to GitHub always and easily, but I-for-myself would need to jump through dozens of hoops just in order to log in to GitHub When something goes wrong, my applications would still be able to log in to my GitHub account, even though mine would have been cut off and inaccessible

I also don't understand the general idea of how an application should be more secure when dealing with passwords. For every application it is known where it stores passwords and once a security hole has been found to crack the storage encryption, it can likely be exploited everywhere where the application is installed.

But when I'm in charge, nobody will know where I might store my passwords, or I even might just memorize the crucial ones. This is something that cannot be hacked like an application can be.

Eventually, it is MY account and ONLY MY account. That means that I (alone) need to be in charge of logging in. It is not acceptable that my powers and capabilities (to log in) are transferred to or shard with an application or a mobile phone into which I do not have any insight or control.

[hackerb9]

UPDATE: It has been pointed out to me that GitHub now requires your SMS phone number in order to register a FIDO2 key! Argh, Microsoft...

I have opened a bug report on the GitHub general forum.

---

Original post follows...

2FA Anonymity

I see a lot of people saying exactly what I was thinking: they want anonymity and don't want to give their cell phone information out. There is a workaround, but, amidst this boneheaded decision, Microsoft is not making it obvious that:

You can use a USB security key for 2FA

Just search for "FIDO2" and "USB" and you'll find lots of brands to choose from. Here is a sample:

Yubico (~$25) is well respected and trusted. Made in the USA or Sweden. Yubico is what Google gave to their employees before they came out with their own Titan key (~$35) (China).

Personally, I've been only buying from Solokeys (~$20) because they publish the blueprints for their designs under an open source license, which is the ideal from a security perspective. Made in Italy.

If cost is an issue, try Adafruit's $10 Key, made by Key-ID in China.

Buy two

One important thing to know is that you have to buy at least two 2FA keys. Think of them like the keys to your home or car: if you don't have a backup, you will be screwed when you lose the primary one.

Mandatory 2FA is still a bad idea

I think 2FA is a great idea for security, but it shouldn't be mandatory. It is driving away developers, particularly the individuals who were doing cool projects on their own time. This is going to change the culture of GitHub, tilting it more corporate. Maybe that's for the best as Microsoft's ethos and interests are not well aligned with the open source community and it has been uncomfortable to see so many open source projects existing at the pleasure of a behemoth corporation.

[ghost]

Or just migrate to another platform.

KDE even hosts own server with Gitlab for a while https://invent.kde.org/ and happy with that.

You suggest to spend 20-30 bucks just because MS decided to do something.
Do you really think that all stupid decision will end after this one?

[ghost]

@hackerb9 Wait are you serious? I thought you're just being sarcastic. No way man...

[hackerb9]

@HardHub Oh, I have no doubt Microsoft will do something even stupider next time. Like I said in another comment, I'm not sure I'm going to stick around to see it even though I no longer have their arbitrary deadline hanging over my head anymore.

Everybody should make up their own minds about what to do. All I'm offering is an option that some people, myself included, have been looking for. And, yeah, like all the options, there are tradeoffs. The biggest one is the monetary cost which is why I mentioned it prominently. It sounds like it is not a good solution for you. That's fine, we all have our own calculus to make.

For myself: I happened to have the money and I'd been thinking about trying FIDO2 keys out anyway. I don't give a fig about my security on GitHub, but the FIDO2 keys also bought me anonymous two-factor authentication on sites that I actually do care about. I've already got my email and paypal setup. It looks like my VPN and bank also support FIDO2, according to https://www.dongleauth.com/.

I probably care more about privacy and security than most people, though, so I'm not surprised that the cost is a barrier for some.

@BladeMight Which part was unclear? Do you think it is a joke that Microsoft is boneheadedly railroading people into giving up private information by emphasizing cell phones as if they are the only solution for 2FA? I'm completely serious about that.

[patgauvingeek]

I want to sincerely thank you for this option. Its a great 2FA solution to keep anonymity that I didn't know about. 😄

I tried Authenticator from Microsoft. I only got setup codes that didn't work or incorrect verification codes. I even tried the SMS thing. I gave them my f*ing phone number and never received the SMS! Giving out information to get something is a thing, but without getting anything: it's a scam! 😞 I'm really upset that they are forcing us to use something that doesn't even work properly. I wouldn't be here if it just worked ! Now seeing all the post about leaving the platform because of this makes me consider it too !

[Secret-chest]

Using FIDO2 security keys is the only right way to do 2FA

What if I don't have bluetooth? I tried using passkeys with Google, not working because it requires some crappy bluetooth setup.

[hackerb9]

Try a USB key.

[ashraf21c]

I agree,
The support team gave me a very detailed reply, which is very helpful, and covers everything, backup methods do exist.. However, I still dont agree with this feature being mandatory.. There are alternatives to Github, and Ill consider using one as a backup.

[mosamy]

I do not remember delegating Microsoft or any corporation to make decisions like that on my projects. They did not become a custodian of how we make decisions on our projects and they do not have the right to make dictates like this to us.

This should be an opt in/out process.

[speedythesnail]

[jbruchon]

I moved to Codeberg. They have a decent migration system and the interface is easy to learn. They don't migrate anything but the actual Git part though; no issues or CI. They don't force 2FA. I'm happy with it.

[snowman]

How about more security? Micro$oft?

1. How about force face ID login? this comes best security especially when you holding ID-card
2. Download latest GitHub app to Scan QR code to login like Chinese app

[cardanawandra]

i think this is because israel

[ggggrand]

If I want to be "less secure" LET ME

[eduardo-martins-silva]

I'm concerned about GitHub's decision to enforce mandatory 2FA without prior consent, potentially locking users out of their accounts. While security is crucial, this approach raises suspicions about GitHub's intention to take undue ownership of users' code repositories. It's vital to ensure that security measures empower users rather than restrict their access to their own code.

[NatsuDragneel808]

Select Topic Area

Product Feedback

Body

Mandatory 2FA is a bad idea. Please reconsider that decision.

SMS-based 2FA is so bad that I don't even know why GitHub supports it. This change is going to result in a lot of people being made vulnerable to a SIM swap attack.

Additionally, the authenticator apps GitHub gives as examples are all proprietary - none of them are free (as in freedom) software.

I don't like GitHub itself being nonfree, and I REALLY don't like them pushing nonfree native apps.

I use CSRNG-generated website-specific passwords that are only ever stored locally. TOTP has no security benefit since an attacker would be on the same machine anyways.

Using FIDO2 security keys is the only right way to do 2FA, but GitHub currently doesn't even support it. (EDIT: it appears that GitHub does support it after all, hmm...)

Also keep in mind that Mojang, which is also owned by Microsoft, did something similar (except in that case it was even worse since they are forcing you to have a Microsoft account) with the reason being security - it's pretty clear that was nothing more than an excuse, and the real reason is to tie products and make more money.

This annoyance is what has caused me to finally migrate off of GitHub. I'm moving all of my projects to codeberg and I'm probably going to delete them from GitHub so they can't get a higher SEO ranking for my projects.

By the way, I've posted about this on the fediverse too: https://mastodon.social/@hexaheximal/110890236595013160

Hey, thanks so much man for mentioning codeberg. I'm also migrating from GitHub and doing the same thing, pulling out and down all of my repositories since I won't be using their stupid 2FA. So sick of this F2A bs. Never thought GitHub would fall under but oh well. I just know since I won't be using it then I'll be locked out of my GitHub account, they honestly should have made this optional instead of losing a bunch of users.

[UtsavSingh29]

#1
Not a good idea because of convenience problem

[realulim]

2FA has its place, but if you argue that it is because your users are too dumb to manage their passwords appropriately is completely disrespectful and does not shine a positive light on you. Who are you to tell me that I am too dumb to use your service correctly? You, who are responsible for more major data leaks and security breaches than I could ever produce, even if I WERE as dumb as you think.

So stop disrespecting your users. Give them options and allow them to live with their choices. Compare your users' track records in security to your own, before you patronize them.

[pfisterjohannes1234]

I do not want to make the effort of 2FA for my little, non-critical project. 2FA can make a lot of sense for bigger projects or projects that where control over it has significant value, but not for my.
The effort to setup 2FA is not worth it for me.

[a-non-a-mouse]

Ditto.

I've been a dev for 25 years. You know what's on my github account? Random nonsense scripts I'm playing with. I would give ZERO f's if my github account was hacked, and it has a completely unique 20 character password that is managed by a password manager.

I often take my laptop and head to a cafe to work for a while. I almost never carry my phone because I like being otherwise detached when I'm walking around. Not being able to log into github from a coffee shop is ridiculous.

You are not a bank. There is ZERO tangible value in open source code. Plenty of people see value in it, I 100% understand that. Let them opt in, or at least let other people opt out.

Any site requiring 2FA where money is not involved is absolute BS.

[a-non-a-mouse]

Not getting into that nonsense. 2FA could be 100% foolproof. I don't care.

The annoyance of it outweighs any benefit and Github is not worth securing to me, and that's a personal decision. Forcing it on people is BS.

[a-non-a-mouse]

Yeah, rant about that to someone else. I really don't care.

I was providing another reason on why this is a bad idea.

[a-non-a-mouse]

"Not reproducible" -- Oh ffs. Spend 2 seconds to figure out why instead of dismissing it.

It's only for people that github considers "contributors". A new account obviously doesn't fall under that net.

[ProtonKicker]

Github is kicking out Chinese contributors!

I just don't understand why they want to do that.

• I use a Huawei phone. It runs HarmoneyOS, a system that is compatible with Android BUT doesn't support Google Play services. Thus, authenticator apps will not run on my device.
• For SMS, they don't allow +86 regional codes. They are literally kicking Chinese contributors out of Github!

What shall I do?

[ProtonKicker]

Thx for your help! I'll try to figure this out!

The problem is that there are newbies like me who are trying to bring some good. But anyways, it's always nice to have a helpful community around~🥰