Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…

    • ssm@lemmy.sdf.org
      link
      fedilink
      arrow-up
      3
      arrow-down
      9
      ·
      5 months ago

      2FA is for people who don’t know how to use randomized passwords for every site

      • Reddfugee42@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        5 months ago

        Brilliant. Until that website’s unsalted pw database is downloaded through a SQL injection.

        Use both. You’re not smarter than security professionals.

        • kevincox@lemmy.mlM
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          5 months ago
          1. Salt doesn’t matter if your password is unique.
          2. If they can download data via SQL injection having them log in probably doesn’t matter that much.
          3. If they can dump your password/hash they can likely also dump the TOTP secret.
          4. A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.

          So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.

          So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.

      • Miaou@jlai.lu
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        The day your machine is compromised is also the day ALL your passwords get stolen.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        17
        arrow-down
        3
        ·
        5 months ago

        Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s

        • Zeroxxx@lemmy.id
          link
          fedilink
          arrow-up
          3
          arrow-down
          6
          ·
          5 months ago

          Even in my bank’s ATM there’s only one password, not 2FA. 2FA is 2 factor auth, there’s no 2FA in the ATMs.

          It doesn’t mean the initial password isn’t a layer of authentication, but strictly speaking where I live all ATMs do not employ 2FA.

          • vvv@programming.dev
            link
            fedilink
            arrow-up
            8
            arrow-down
            1
            ·
            5 months ago

            The two factors at an ATM are possession of your bank card + knowledge of your pin. (it also takes your photo, for good measure)

            GitHub will happily accept a smart card or whatever, if an extra plastic rectangle jives with you more than an OTP generator.

              • Reddfugee42@lemmy.world
                link
                fedilink
                arrow-up
                3
                ·
                5 months ago

                “Something you have” is absolutely not equivalent to “something you know”

                You are completely unable to enter this conversation, but you think you’re the smartest one in the room.

                I bet you’re insufferable.