GitHub Requires 2FA – What For?

Question

Alright this is not specific to GitHub. But given their recent change I'm noticing I cannot use their site anymore.Why is it a good thing to couple your smart device like this? I specifically fear the day I cannot access any website with 2FA because I cannot restore from backup my device that has the original 2FA.

t_believ-er873 · Accepted Answer

Because, 2FA is part of secuirty. It's one of the secuirty features that can help protect data from an unauthorised access. More about security best practices: https://gitprotect.io/blog/github-security-best-practices-15...

mikewarot · Answer

Because we can't trust our Operating Systems to do their jobs (they're structurally incapable of doing so), we have to trust every bit of code we run instead. GitHub is where a lot of code that gets executed is exchanged, therefor we have to beef up the security on GitHub. Thus, GitHub requires 2FA

austin-cheney · Answer

Two factors of 2FA means any two of what you know, what you have, or what you are. The idea is that one factor is not enough, because a password can be compromised and then you are fucked. Somebody has successfully compromised my GitHub password in the past 2FA prevented them from gaining access even with my password.

solardev · Answer

You can use something like 1Password to just save the 2fa to the cloud, so you can sign in on any device. In that case it's tied to your master password and secret key instead of a particular device.
This does change the 2fa from "something you know and something you have" to "two things someone else knows", but in day to day use it's way more convenient than a phone authenticator.
If any device dies, you can login on a new device with your master password and secret key. Typically you would print out the secret key and keep it somewhere safe, or else save it somewhere else you can access.
------
With standard 2fa you can also print put recovery codes, but that's such a pain to set every service back up when you change phones. Having them in the cloud means it's account based and not device based. Way easier, probably less secure.

operator-name · Answer

When you registered for 2FA it will have given you backup tokens to be written down. They're designed for this exact situation.Given the number of software projects that use github as their canonical distribution platform and the number of supply chain attacks due to hacks, it's no pretty obvious why they've started enforcing 2FA.

coldtrait · Answer

I can't address the primary concern here but the app I switched to for 2FA named 2FAS is able to back up all your codes in case the device gets affected. Either to Google account or a file.Google Authenticator did not have this option until recently I believe.

runjake · Answer

I suspect GitHub&rsquo;s insurance company has mandated it or gave notice that they intend to.

theEntroX · Answer

Most (but not all) services that use 2FA allow you to set up backup codes so you can recover your password. There are plenty of options for non-smartphone token generators available. It would depend on your needs and what is available to you.

cchance · Answer

Install Authy, have synced 2FA to all your devices, no more issues.

revskill · Answer

To collect your phone number.

Am4TIfIsER0ppos · Answer

You ask what for and I say to facilitate government surveillance. It helps promote the government's spy device. "Look at these jangling keys."