Git hosting sites that do not require 2FA?

Your decision makes me sad.

GitHub is doing something the world needs: putting better security on a huge chunk of the open source software that is shared and relied upon by literally all of humanity.

Any repo, anywhere, has the chance to become a part of the open source ecosystem. Strongly authenticated developer accounts on those repos is critical for everyone's security. It sucks that we are here, but here we are. Password managers are almost enough to save us, but not quite.

I think it is fair to complain about particular factors of 2FA (e.g. TOTP or Yubikey or iPhone Passkey or SMS or whatever). And it's fair to complain that the session timeout on a strongly authenticated persistent session cookie should be user-managed (30 days? no problem! 90 days? I trust my device enough for an API key, why not a cookie?).

And all your command-line stuff is already API key-based on GitHub...

But good 2FA offers real security against a lot of threats. I hope more people embrace it.

It's a weird thing to be hung up on. Set up 2FA, remember your device, and that's it. You get added security at no cost to ease of use.

Think I'd rather have stupid password complexity and update requirements foisted on me than 2FA. Takes an 8 second activity and turns it into 30-60s when it's by SMS or email OTP. Especially frustrating when it's a known device, too.

Back on topic though: I run a local Forgejo/Gitea instance which doesn't have 2FA (or the maturity of the bigger forges if we are being honest). Could be worth a look if you are up to self hosting it.

Buy a $5/month Linode (err, Akamai-node?) and `git init --bare /srv/whatever.git` and git clone yourdomain:/srv/whatever.git

Limitless private git repositories.

>I have my password manager and can login with 1 click to all my sites. 2FA is always a pain in the ass and always extra effort on something my password manager already protects me from.

So I think there are a few potential issues with this argument based on assumptions you're making. I'd argue this isn't entirely true because:

1. Many password managers allow you to manually copy the password into your clipboard, which mean you could paste it somewhere that's unsafe / untrusted. Someone could then use this password to authenticate as you. Many sites disallow token reuse, so once used if you accidentally pasted that somewhere as well an attacker couldn't reuse the token.

2. Similarly, if someone has managed to exfiltrate login details you provide without being able to also obtain the session cookie sent back, and the site enforces one time use of MFA tokens, then the MFA token can also avoid a replay attack of your login details.

I'll admit the second one may be a bit contrived, because if they can exfiltrate login details it seems likely they could also just obtain the session cookie. But if said cookie is tied to a certain IP address, then that cookie is useless to them and they wouldn't be able to replay the credentials.

Some platforms let passkeys count as password+2FA which could be an option if you use a password manager that supports it.

I use passkeys in 1Password for GitHub access

GitHub supports passkeys, and your password manager might too. I like the flow better than passwords, I just click "log in" and it goes.

GitLab (which has better CI too), Codeberg (simpler, only public repos).

Use 2FA in your password manager. 1Password supports it, I assume others also do.

> It may be better security but I don't care, I don't want to use it for anything except my bank accounts.

Go with the time and accept that 2FA everywhere is good and the norm. As someone else mentioned: Browser-integrated password managers can autofill 2FA for you, meaning there's no extra hassle needing to lookup, copy, paste & confirm an extra step.

I feel you, got the mail today saying I need 2FA by January 19th. So bye bye github and thanks for all the fish.

Codeberg looks interesting. (I have most git stuff also on a private server.)

I don't mind 2FA if it is password and email, but github's 2FA requires an app (but I have no smartphone) or a GSM number and they ain't getting that.

My password manager has 2FA built in. I've used it with GitHub for years. Super simple flow.

I’m not going to answer the question as-asked because its core premise is flawed.

Instead of looking to disable 2FA, look to speed-up providing 2FA codes.

Most passwords managers support auto-filling 2FA codes. Yes, some are still super-old school and only support SMS and email. But Safari on macOS (for example) can pre-fill the texted/emailed codes (as long as Mail.app is open, and/or your phone is paired with your computer).

Even better/faster? Passkeys. GitHub supports them, and they’re the fastest (and most secure?) login solution.

There are all sorts of solutions for this problem outside of making security worse.

You can probably sign up for azure without 2fa and use azure devops or just host gittea somewhere.

If you get a yubikey, it's very convenient to use. Your password manager can't protect you from phishing attacks. As someone who has seen probably 10's of thousands of phishing attacks, I am not confident I can identify one if it is sufficiently well crafted. In your mindset, you are fully sold that you are logging into the right place when you fall for one.

Just get 1Password, it will store your PW and your MFA.

Use 2FA in your password manager. Most support it.

I, for one, tend to churn from products that don't let me use 2FA.

Ask HN: Today I saw that McDonalds has mandatory ketchup from 1 Jan. I don't like ketchup on my burger -- anyone know a place where it's optional?

- Your decision makes me sad, ketchup is great

- Get with the times, everyone has ketchup, you should too, it's good for you

- It's a weird thing to be hung up on, just eat the ketchup

- You could scrape it off with a knife

etc etc ...

- bitbucket is one option.

Added: for clarity, while they do not require SMS/email/fingerprint/yubikey they do have an "app code" thingy which means that whenever you push, pull, etc you will have to enter one extra password.

That PW can be stored in your PW manager like any other PW

I partially enabled 2fa in GH (enabled it without setting up an actual second factor). Effectively it turns off password recovery. It lets me be in orgs that enforce a 2fa policy without having to actually have it on github.

As far as other origins, I have been a fan of gitlab and wanna try out sourcehut.

If you use the gh cli, you don't need to use 2fa.

this is my "spam email address" for places that require 2FA "just because"

https://f-droid.org/en/packages/io.ente.auth/

like google authenticator, their break all RFCs and recommendations, and store the seed and keys in their servers (or yours, it's open source both ways, but we know it won't happen).

Differently from googleAuthenticator, i can trust them a little as they went thru 3rd party certification of the backup end to end encryption :thumbs-up

if you don’t need a web ui:

https://github.com/nathants/git-remote-aws