this post was submitted on 05 Jun 2024
50 points (79.1% liked)

Open Source

31354 readers
182 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

top 50 comments
sorted by: hot top controversial new old
[–] Tramort@programming.dev 98 points 5 months ago (11 children)

It's fine. The added security is huge

The problem is when they want you to install their TOTP app in order to authenticate (I'm looking at you, steam... fuck off)

[–] n2burns@lemmy.ca 24 points 5 months ago* (last edited 5 months ago) (4 children)

I think I'd still prefer to use a 3rd-Party TOTP app but at least Steam's app adds some value by pushing a notification when you login.

[–] scrubbles@poptalk.scrubbles.tech 24 points 5 months ago

Steam is okay in my book because steam was the OG 2FA provider. They forced 2FA on everyone, all the way back in 2007, they took security seriously before anyone else really cared. So, they're grandfathered in.

load more comments (3 replies)
[–] SzethFriendOfNimi@lemmy.world 13 points 5 months ago

Exactly. At the end of the day there’s nothing being transmitted with OTP and using a standard app isn’t an issue.

[–] lemmyvore@feddit.nl 12 points 5 months ago (7 children)

If you're rooted, Aegis can import the seed from the Steam app then you don't need it anymore.

load more comments (7 replies)
[–] peregus@lemmy.world 4 points 5 months ago

Or like eBay

load more comments (7 replies)
[–] scrubbles@poptalk.scrubbles.tech 69 points 5 months ago (7 children)

SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you're issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.

And this isn't just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn't trust.

[–] peregus@lemmy.world 12 points 5 months ago* (last edited 5 months ago) (1 children)

Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias (SimpleLogin) for every single account! 😆

[–] nrbray@lemmy.ml 5 points 5 months ago

same, a simple habit that is secure, I use it always with maximum privacy. One day you will be in a rush, under stress, affected by age, and use your old habits with a valuable asset...

load more comments (6 replies)
[–] Reddfugee42@lemmy.world 59 points 5 months ago (15 children)

If you're not already using 2fa everywhere you can, you're already doing it wrong.

load more comments (15 replies)
[–] ByteMe@lemmy.world 26 points 5 months ago (3 children)

You can try aegis if you're on Android, open source, local, great

[–] lemmyvore@feddit.nl 4 points 5 months ago (2 children)

Also OTPclient on desktop, it can work directly with an Aegis encrypted export file. You enter the decrypt password when you open the app and it can auto-lock after a specified interval.

load more comments (2 replies)
load more comments (2 replies)
[–] wesker@lemmy.sdf.org 25 points 5 months ago (1 children)

I just use Bitwarden's 2FA functionality.

[–] unknowing8343@discuss.tchncs.de 7 points 5 months ago (4 children)

This is premium functionality, for those who don't know.

[–] starman@programming.dev 6 points 5 months ago* (last edited 5 months ago) (2 children)
load more comments (2 replies)
load more comments (3 replies)
[–] delirious_owl@discuss.online 25 points 5 months ago (1 children)

What's wrong with using a Foss TOTP app?

load more comments (1 replies)
[–] tortiscu@feddit.de 22 points 5 months ago
[–] LucidDaemon@lemmy.world 19 points 5 months ago (1 children)

Yubikey, but thats just a personal preference. A password manager works just as well.

load more comments (1 replies)
[–] pr06lefs@lemmy.ml 13 points 5 months ago (1 children)

I use keepassxc to generate the code.

[–] Tibi@discuss.tchncs.de 5 points 5 months ago* (last edited 5 months ago)

Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file

[–] bhamlin@lemmy.world 11 points 5 months ago (2 children)

It's fine. I moved to gitlab years ago for 2fa, so while this doesn't affect me I would be entirely ok with normal 2fa.

It is normal, right? Not a weird Microsoft 2fa requiring their app?

[–] lemmyvore@feddit.nl 18 points 5 months ago

Yes you can use any app, it's standard TOTP.

load more comments (1 replies)
[–] Jayjader@jlai.lu 11 points 5 months ago* (last edited 5 months ago) (1 children)

I already use pass ("the unix password manager") and there's a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otp

Worth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let's me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.

[–] vvv@programming.dev 7 points 5 months ago* (last edited 5 months ago) (1 children)

Your two factors shift to possession of your password vault + knowledge of the password to it. You're okay IMO.

You also still get the anti-replay benefits of the OTPs, though that might be a bit moot with TLS everywhere.

load more comments (1 replies)
[–] toastal@lemmy.ml 10 points 5 months ago (1 children)

Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.

But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.

[–] fuzzzerd@programming.dev 4 points 5 months ago (2 children)

Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other "valuable" open source projects. To pretend nothing of value is built there is putting your head in the sand.

If you're developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.

[–] refalo@programming.dev 5 points 5 months ago* (last edited 5 months ago)

SFC recommends to not use them, so that's what I will keep (not) doing.

load more comments (1 replies)
[–] Dymonika@beehaw.org 10 points 5 months ago (7 children)

I don’t love the idea of having an authenticator app installed on my phone

For anything? Why not? Surely you don't believe SMS-based TOTP is safer, right?

load more comments (7 replies)
[–] independantiste@sh.itjust.works 7 points 5 months ago

Its more secure and ssh keys are more convenient anyways

[–] ChallengeApathy@infosec.pub 6 points 5 months ago

This hate for 2FA is bizarre to me. Sure, it's not as convenient but in this day and age, with all the threats out there, there's no real excuse for not using it.

[–] cmnybo@discuss.tchncs.de 6 points 5 months ago

I just use my password manager to generate the TOTP. There's no way I'm going to install an app just to use a website.

[–] Kelly@lemmy.world 6 points 5 months ago (1 children)

I generate a TOTP with my password manager, it stores all my other login details and keeps it simple.

[–] Voroxpete@sh.itjust.works 5 points 5 months ago (8 children)

That seems like it defeats the "2" part of 2FA. If your password manager is compromised the attackers now how complete access.

[–] Kelly@lemmy.world 6 points 5 months ago

Technically true.

You are right, having the password in the same vault does mean that if the vault itself is compromised they have both. Guess I could move the TOTP to a separate authenticator app but the only other apps I have a mobile only and there are times I need to login without having hands on my phone.

I guess the time based aspect of the TOTP makes it a little more resistant to having someone monitor my keystrokes or clipboard or whatever and capture a relatively long lived secret like my password. So I guess its a comprise I'm willing to make.

load more comments (7 replies)
[–] XTL@sopuli.xyz 6 points 5 months ago
[–] nothacking@discuss.tchncs.de 4 points 5 months ago

pass otp. Works, more secure then SMS, open source.

[–] CrypticCoffee@lemmy.ml 4 points 5 months ago (2 children)

Codeberg, or failing that, GitLab, or BitBucket. Allowing MS to control all FLOSS software, means they might probably secretly get consent to use your code for copilot training without respecting licences. I have no idea if this happens, or might in the future, as I ain't reading the terms of service for something I do not use, however, I have little trust for them enough for air on the side of caution.

[–] Klear@sh.itjust.works 5 points 5 months ago

I'm gonna keep putting all of my code on github, then. Doing my part to make copilot crash and burn.

load more comments (1 replies)
[–] thingsiplay@beehaw.org 4 points 5 months ago (5 children)

I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don't get all my private stuff.

[–] makeasnek@lemmy.ml 8 points 5 months ago (8 children)

Works great till somebody does a sim swap on you.

load more comments (8 replies)
load more comments (4 replies)
[–] WormFood@lemmy.world 3 points 5 months ago

last time I signed into my Microsoft 365 account for work I got two separate 2fa prompts and two captchas, it was like being in an episode of the crystal maze. the mere act of signing into something is now tedious and difficult

load more comments
view more: next ›