Your decision makes me sad.

GitHub is doing something the world needs: putting better security on a huge chunk of the open source software that is shared and relied upon by literally all of humanity.

Any repo, anywhere, has the chance to become a part of the open source ecosystem. Strongly authenticated developer accounts on those repos is critical for everyone's security. It sucks that we are here, but here we are. Password managers are almost enough to save us, but not quite.

I think it is fair to complain about particular factors of 2FA (e.g. TOTP or Yubikey or iPhone Passkey or SMS or whatever). And it's fair to complain that the session timeout on a strongly authenticated persistent session cookie should be user-managed (30 days? no problem! 90 days? I trust my device enough for an API key, why not a cookie?).

And all your command-line stuff is already API key-based on GitHub...

But good 2FA offers real security against a lot of threats. I hope more people embrace it.

Another commenter below used the phrases high and low value accounts which gets to the crux of why 2FA is a PITA (for me). GitHub is a low value account for me. It's basically Pinterest for code; I track interesting repos, sometimes I raise an issue, and I have dark mode turned on. I have 2-3 garbage private repos that I don't use, so if my account was compromised, it'd be like this:

https://media.tenor.com/vJLaS5etgRwAAAAd/shit-wow.gif

It would be like if Reddit started requiring 2FA to 'protect my account'.

If I was using GH in a professional capacity, this would be different. But I guess I resent that I don't get to make the choice. Security Daddy at GitHub thinks I'm too stupid.

It's a weird thing to be hung up on. Set up 2FA, remember your device, and that's it. You get added security at no cost to ease of use.

I'm paranoid after enabling 2FA after failing once to save the recovery codes correctly. Not sure what actually happened exactly, but when I managed to get back in despite odds, the shown recovery codes were _different_ from the ones i had saved locally.

Losing your authenticator and recovery codes means the account is lost permanently. This feels like a bigger threat to my account security than not having 2FA. Not saying it _is_ a bigger threat, but it feels like a bigger threat.

You have to simultaneously lose every 2FA device, the recovery codes, and every active session of the service on every computer to get locked out. And even then, there is usually always an account recovery process you can go through. It really isn't all that risky.

You know a much easier and way more probable way to lose an account? If the password gets leaked/intercepted and there's no other security check.

Like in a fire?

https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my...

Most websites you can add multiple 2FA options. Get a yubikey (or two) and set it up as a backup. Then just keep your yubikey somewhere safe in your house. I keep it where I keep my passport and other stuff like that.

Think I'd rather have stupid password complexity and update requirements foisted on me than 2FA. Takes an 8 second activity and turns it into 30-60s when it's by SMS or email OTP. Especially frustrating when it's a known device, too.

Back on topic though: I run a local Forgejo/Gitea instance which doesn't have 2FA (or the maturity of the bigger forges if we are being honest). Could be worth a look if you are up to self hosting it.

Buy a $5/month Linode (err, Akamai-node?) and `git init --bare /srv/whatever.git` and git clone yourdomain:/srv/whatever.git

Limitless private git repositories.

If you want to go fancy, get a bigger node and self-host GitLab.

used to be some decent open source web UIs you could host too. haven't looked in AGES though.

cgit is good if you want a read-only web ui.

Also, git has a built in web server.

https://git-scm.com/docs/gitweb

Gitea is good.

>I have my password manager and can login with 1 click to all my sites. 2FA is always a pain in the ass and always extra effort on something my password manager already protects me from.

So I think there are a few potential issues with this argument based on assumptions you're making. I'd argue this isn't entirely true because:

1. Many password managers allow you to manually copy the password into your clipboard, which mean you could paste it somewhere that's unsafe / untrusted. Someone could then use this password to authenticate as you. Many sites disallow token reuse, so once used if you accidentally pasted that somewhere as well an attacker couldn't reuse the token.

2. Similarly, if someone has managed to exfiltrate login details you provide without being able to also obtain the session cookie sent back, and the site enforces one time use of MFA tokens, then the MFA token can also avoid a replay attack of your login details.

I'll admit the second one may be a bit contrived, because if they can exfiltrate login details it seems likely they could also just obtain the session cookie. But if said cookie is tied to a certain IP address, then that cookie is useless to them and they wouldn't be able to replay the credentials.

Some platforms let passkeys count as password+2FA which could be an option if you use a password manager that supports it.

I use passkeys in 1Password for GitHub access

GitHub supports passkeys, and your password manager might too. I like the flow better than passwords, I just click "log in" and it goes.

GitLab (which has better CI too), Codeberg (simpler, only public repos).

Define better CI? It is much slower and way more expensive than GHA with all its free M$ money.

You get 2k minutes free a month which is enough for my side projects. Not used GH for a while, maybe they've upped their game ...

Use 2FA in your password manager. 1Password supports it, I assume others also do.

Bitwarden does too.

> It may be better security but I don't care, I don't want to use it for anything except my bank accounts.

Go with the time and accept that 2FA everywhere is good and the norm. As someone else mentioned: Browser-integrated password managers can autofill 2FA for you, meaning there's no extra hassle needing to lookup, copy, paste & confirm an extra step.

> Browser-integrated password managers can autofill 2FA for you

Meaning that it defeats the entire point of 2FA. 2FA used in this way is only security theater.

So as I mentioned in another comment, it's not entirely security theater. If the site enforces that an MFA token is truly one time use, then this can prevent replay attacks of your credentials being used to create a new session.

If someone compromised your password store, then yeah it's all over. But if the compromise happens elsewhere, it can be a useful layer to the security onion.

Why? It depends on your scenario. If it is “attacker gets hold of my wallet” then yes, you’re screwed.

But 2FA still helps if a single password was leaked/bruteforced/phished, and afaict most password managers in autofill mode recognize the browser url, so it’s quite phising safe (2nd factor won’t be autofilled on wrong website)

Security is not binary, and 2fa via password manager is still much better than no 2fa; it’s not pointless.

I agree, but not entirely. I.e. you can steal a password, but normally no password manage would allow you to export underlying 2FA code.

I have raised this point so many times. People tend to forget why they are using a particular technology in the first place

Never understood the point of storing your 2fa where your passwords are.

If your password manager gets compromised, sure, but if someone gets access to a website's database with password hashes, the 2fa is a pretty big part that they're missing.

This does assume they aren't able to also compromise the encryption key used to protect the secret:

https://news.ycombinator.com/item?id=10845985

https://news.ycombinator.com/item?id=11136948

Agree with others that you shouldn't use your password manager as your 2FA provider, but depending on your mix of phone and computer, it's possible to copy and paste from phone to computer (maybe require a bit of setup on anything other than iOS to Mac)

(Copypasting my answer to another comment)

Why? It depends on your scenario. If it is “attacker gets hold of my wallet” then yes, you’re screwed.

But 2FA still helps if a single password was leaked/bruteforced/phished, and afaict most password managers in autofill mode recognize the browser url, so it’s quite phishing safe (2nd factor won’t be autofilled on wrong website)

Security is not binary, and 2fa via password manager is still much better than no 2fa; it’s not pointless.

I feel you, got the mail today saying I need 2FA by January 19th. So bye bye github and thanks for all the fish.

Codeberg looks interesting. (I have most git stuff also on a private server.)

I don't mind 2FA if it is password and email, but github's 2FA requires an app (but I have no smartphone) or a GSM number and they ain't getting that.

My password manager has 2FA built in. I've used it with GitHub for years. Super simple flow.

I’m not going to answer the question as-asked because its core premise is flawed.

Instead of looking to disable 2FA, look to speed-up providing 2FA codes.

Most passwords managers support auto-filling 2FA codes. Yes, some are still super-old school and only support SMS and email. But Safari on macOS (for example) can pre-fill the texted/emailed codes (as long as Mail.app is open, and/or your phone is paired with your computer).

Even better/faster? Passkeys. GitHub supports them, and they’re the fastest (and most secure?) login solution.

There are all sorts of solutions for this problem outside of making security worse.

You can probably sign up for azure without 2fa and use azure devops or just host gittea somewhere.

If you get a yubikey, it's very convenient to use. Your password manager can't protect you from phishing attacks. As someone who has seen probably 10's of thousands of phishing attacks, I am not confident I can identify one if it is sufficiently well crafted. In your mindset, you are fully sold that you are logging into the right place when you fall for one.

Just get 1Password, it will store your PW and your MFA.

(Copypasting my answer to another comment)

Why? It depends on your scenario. If it is “attacker gets hold of my wallet” then yes, you’re screwed.

But 2FA still helps if a single password was leaked/bruteforced/phished, and afaict most password managers in autofill mode recognize the browser url, so it’s quite phising safe (2nd factor won’t be autofilled on wrong website)

Security is not binary, and 2fa via password manager is still much better than no 2fa; it’s not pointless.

Use 2FA in your password manager. Most support it.

How does that work? Isn't the second factor normally a text message to your phone?

GitHub and many other sites support TOTP 2FA. These create a key which is used by an TOTP app to generate a time based code which is used. This is generally considered better than SMS codes as it's harder for someone else to hijack. There are loads of TOTP apps, Google Authenticator is a popular one, but lots of password managers like 1Password and co also support it.

I use my password manager for 2FA for low value accounts. High value ones I use a separate mobile app. I only use SMS when the service forces me to because they don't support anything else.

The risk here is of course that if your password manager is compromised, your second factor has no security value. For some cases people might be okay with that. In many cases I'm more concerned about a password being leaked rather than my password manager being compromised. For anything with significant value to me, I use a separate 2FA app though. In this case if my password manager was compromised, 2FA gives me some added security.

It's extremely risky to use MFA via text messages, due to the commonality of SIM swap attacks. Attacker calls your cell phone provider, executes a social engineering attack to authenticate as you, and can now route your phone calls and text messages to a device they own. It's a good idea to avoid SMS/Phone MFA.

If you use a token generator (Google Authenticator, Authy, or the one built into products like 1Password), a shared secret key is used to generate the MFA token. You store this secret in that software, and it uses the current time + that secret key to generate the MFA token.

This is a far better mechanism than the SMS or phone call based approach. And in this mechanism you can store the secret in any software that's able to generate the token using that algorithm.

Most commonly it's this algorithm: https://datatracker.ietf.org/doc/html/rfc6238

It isn't a true second factor. See here for a discussion on it: https://www.reddit.com/r/1Password/comments/1247mho/help_wit...

<personal_opinion> I, for one, tend to churn from products that don't let me use 2FA.</personal_opinion>

Ask HN: Today I saw that McDonalds has mandatory ketchup from 1 Jan. I don't like ketchup on my burger -- anyone know a place where it's optional?

- Your decision makes me sad, ketchup is great

- Get with the times, everyone has ketchup, you should too, it's good for you

- It's a weird thing to be hung up on, just eat the ketchup

- You could scrape it off with a knife

etc etc ...

Bad analogy.

It’s more like: people have been getting food poisoning from the shared soda machines, and now McDonalds require you to wear gloves before using the machine. Then OP and you are like:

- I don’t care about getting or giving others food poisoning.

- Putting on gloves is too annoying.

- I’d rather get food poisoning than put on a glove.

- I’m clean, trust me bro.

People have already recommended selfhosted alternatives like gitea.

It's actually quite a good analogy since my point was that 90% of the responses to the OP's question (including yours) ignore the actual question and instead scold the OP for their views on the desirability of 2FA. In my analogy, I remove the opportunity to do that by replacing "2FA" by "ketchup on a burger", making the nature of those responses the focus. That mocking of HN bikeshedders was my aim.

Then OP and you are like:

No, the OP asked a question and I gave an actual answer to that question: https://news.ycombinator.com/item?id=38452286

Why do I need to put on gloves if all I want to do is report that the shared soda machine is leaking?

I use GH only a few times a year, mostly to report bugs but sometimes to comment on issues where I've been asked to chime in for a FOSS project.

For me (someone without a smart phone or dedicated security hardware), the increased activation barrier for using GH doesn't seem worth my effort to figure things out.

If the soda machine is leaking, I'll just email one of the developers instead.

FWIW, I use and pay for Sourcehut hosting. I don't like the near-monopoly dominance of Microsoft, and the ever-increasing dependence of FOSS development on a proprietary back-end.

- bitbucket is one option.

Added: for clarity, while they do not require SMS/email/fingerprint/yubikey they do have an "app code" thingy which means that whenever you push, pull, etc you will have to enter one extra password.

That PW can be stored in your PW manager like any other PW

I partially enabled 2fa in GH (enabled it without setting up an actual second factor). Effectively it turns off password recovery. It lets me be in orgs that enforce a 2fa policy without having to actually have it on github.

As far as other origins, I have been a fan of gitlab and wanna try out sourcehut.

If you use the gh cli, you don't need to use 2fa.

if you don’t need a web ui:

https://github.com/nathants/git-remote-aws