this post was submitted on 05 Jun 2024
35 points (100.0% liked)

Open Source

823 readers
20 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

top 50 comments
sorted by: hot top controversial new old
[–] Tramort@programming.dev 70 points 5 months ago (7 children)

It's fine. The added security is huge

The problem is when they want you to install their TOTP app in order to authenticate (I'm looking at you, steam... fuck off)

[–] n2burns@lemmy.ca 21 points 5 months ago* (last edited 5 months ago) (3 children)

I think I'd still prefer to use a 3rd-Party TOTP app but at least Steam's app adds some value by pushing a notification when you login.

[–] scrubbles@poptalk.scrubbles.tech 22 points 5 months ago

Steam is okay in my book because steam was the OG 2FA provider. They forced 2FA on everyone, all the way back in 2007, they took security seriously before anyone else really cared. So, they're grandfathered in.

[–] ultratiem@lemmy.ca 3 points 5 months ago (1 children)

I hate that. I think it’s lazy af.

load more comments (1 replies)
load more comments (1 replies)
[–] lemmyvore@feddit.nl 9 points 5 months ago (7 children)

If you're rooted, Aegis can import the seed from the Steam app then you don't need it anymore.

load more comments (7 replies)
[–] jjlinux@lemmy.ml 3 points 5 months ago (1 children)

How's that? I've had TOTP in my github account for over a year, on Aegis, and I have not seen them asking me to do anything else.

[–] Tramort@programming.dev 7 points 5 months ago (1 children)

GitHub is not an offender right now, but I can easily imagine Microsoft forcing some MS OTP app in the future

[–] jjlinux@lemmy.ml 3 points 5 months ago

Agreed. It would surprise nobody.

load more comments (4 replies)
[–] scrubbles@poptalk.scrubbles.tech 55 points 5 months ago (2 children)

SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you're issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.

And this isn't just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn't trust.

[–] lemmyvore@feddit.nl 5 points 5 months ago (2 children)

SMS 2FA is still better than no 2FA.

[–] scrubbles@poptalk.scrubbles.tech 3 points 5 months ago (2 children)

But it should be the last resort. It makes sense why it's being phased out

load more comments (2 replies)
[–] delirious_owl@discuss.online 3 points 5 months ago* (last edited 5 months ago)

Not if the org uses SMS auth as a recover method for your "lost" password

Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.

I generally don't let my team enter phone numbers into their account data.

load more comments (1 replies)
[–] tortiscu@feddit.de 17 points 5 months ago
[–] delirious_owl@discuss.online 17 points 5 months ago (1 children)

What's wrong with using a Foss TOTP app?

[–] kevincox@lemmy.ml 3 points 5 months ago

Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn't need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.

[–] wesker@lemmy.sdf.org 16 points 5 months ago (1 children)

I just use Bitwarden's 2FA functionality.

[–] unknowing8343@discuss.tchncs.de 7 points 5 months ago (3 children)

This is premium functionality, for those who don't know.

[–] starman@programming.dev 3 points 5 months ago* (last edited 5 months ago) (2 children)
[–] lemmyvore@feddit.nl 3 points 5 months ago

Can it export the seeds?

[–] beyond@linkage.ds8.zone 3 points 5 months ago

This app is actually free (as in freedom) and not merely gratis.

https://github.com/bitwarden/authenticator-android

[–] Tibi@discuss.tchncs.de 3 points 5 months ago (1 children)

And I heard that if you self host you can use the premium features for free

[–] EddyBot@discuss.tchncs.de 3 points 5 months ago

I believe thats only true for the unofficial version (Vaultwarden - API compatible to any Bitwarden app)

load more comments (1 replies)
[–] pr06lefs@lemmy.ml 12 points 5 months ago (1 children)

I use keepassxc to generate the code.

[–] Tibi@discuss.tchncs.de 4 points 5 months ago* (last edited 5 months ago)

Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file

[–] Dymonika 10 points 5 months ago (7 children)

I don’t love the idea of having an authenticator app installed on my phone

For anything? Why not? Surely you don't believe SMS-based TOTP is safer, right?

load more comments (7 replies)
[–] toastal@lemmy.ml 8 points 5 months ago (1 children)

Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.

But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.

[–] fuzzzerd@programming.dev 5 points 5 months ago (2 children)

Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other "valuable" open source projects. To pretend nothing of value is built there is putting your head in the sand.

If you're developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.

[–] refalo@programming.dev 5 points 5 months ago* (last edited 5 months ago)

SFC recommends to not use them, so that's what I will keep (not) doing.

[–] toastal@lemmy.ml 3 points 5 months ago* (last edited 5 months ago)

Not /s

It is long past the time to move on. We don’t like the ads, gamified/corporate-friendly social media aspects, & enshitification of the web (which is why we are an Lemmy not Reddit), so why would we want that same platform for our code?

Also Lemmy has every interest in moving as soon as ForgeFed is finalized & merged into a forge the can host since they want the same decentralized values for their forge as their forum/link aggregator platform and have publicly acknowledged it is a problem.

Your projects should follow that example, if not your current projects at least future ones. These megacorporation are not our friends.

[–] CrypticCoffee@lemmy.ml 7 points 5 months ago (1 children)

Codeberg, or failing that, GitLab, or BitBucket. Allowing MS to control all FLOSS software, means they might probably secretly get consent to use your code for copilot training without respecting licences. I have no idea if this happens, or might in the future, as I ain't reading the terms of service for something I do not use, however, I have little trust for them enough for air on the side of caution.

load more comments (1 replies)
[–] Jayjader@jlai.lu 7 points 5 months ago* (last edited 5 months ago) (1 children)

I already use pass ("the unix password manager") and there's a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otp

Worth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let's me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.

[–] vvv@programming.dev 5 points 5 months ago* (last edited 5 months ago) (1 children)

Your two factors shift to possession of your password vault + knowledge of the password to it. You're okay IMO.

You also still get the anti-replay benefits of the OTPs, though that might be a bit moot with TLS everywhere.

[–] Jayjader@jlai.lu 3 points 5 months ago

You're right, I should have been more specific.

If you're already storing your password using pass, you aren't getting 3 factors with pass-otp unless you store the otp generation into a separate store.

For services like GitHub that mandate using an otp, it's convenient without being an effective loss of 2fa to store everything together.

[–] cmnybo@discuss.tchncs.de 6 points 5 months ago

I just use my password manager to generate the TOTP. There's no way I'm going to install an app just to use a website.

[–] thingsiplay 5 points 5 months ago (2 children)

I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don't get all my private stuff.

[–] makeasnek@lemmy.ml 8 points 5 months ago (8 children)

Works great till somebody does a sim swap on you.

load more comments (8 replies)
[–] chevy9294@monero.town 3 points 5 months ago (1 children)

That's exactly what I'm planning to do, a phone that forwards all sms messages through ntfy (or other service like signal) to me.

[–] chebra@mstdn.io 4 points 5 months ago (2 children)
[–] thingsiplay 3 points 5 months ago

Interesting software. Never heard about this. This is not really for me as I don't do SMS authentification or SMS in general or use that phone at all, other then authenticate myself from time to time. I wonder how this differs from software like KDEConnect in its practically (not in the technical implementation differences).

[–] chevy9294@monero.town 3 points 5 months ago

Thanks but I'll be running postmarketOS and make sms forwarder myself.

[–] ultratiem@lemmy.ca 4 points 5 months ago* (last edited 5 months ago)

iCloud Keychain. Has the ability to store 2FA codes and pull them up automatically. GitHub also supports passkeys so most times I just log in with my biometrics or user pass and don’t have to worry about the added layer.

I’m fine with regular 2FA. What I can’t abide is having to use proprietary apps, like Blizzard’s battle net. Steam too.

Passkeys are the future but still a ways off.

Wild tho that you don’t have any other accounts needing 2FA? That’s scary to me as that added security goes a long ass way in regards to hardening your secuity.

[–] XTL@sopuli.xyz 4 points 5 months ago
[–] nothacking@discuss.tchncs.de 3 points 5 months ago

pass otp. Works, more secure then SMS, open source.

load more comments
view more: next ›