I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn’t password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

  • RovingFox@infosec.pub
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    More secure. If my phone is stolen, they have full acces to my mailbox but they will look long and hard at my passworded 2FA app.

    • macniel@feddit.deOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?

      • RovingFox@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don’t know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.

        You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.