deleted by creator
they want your phone number so they can track you.
how would they track you?
The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts
phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.
yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation
2FA is the biggest bane to my productivity in the last 15 years, no part of my work life should require me to pull out my magic distraction device.
I don’t like how a lot of things require their own custom app, especially when there’s no automatic notification. I need to try and remember what the app is called, open it, navigate through, then approve it
Use a password manager that lets you autofill 2fa, like Bitwarden.
That’s bad advice
Allowing a smartphone access to anything sensitive is even worse advice. Smartphones are notoriously insecure.
You’re right. Dont grant your smartphone access to your GitHub. Just give it one factor.
No offense to companies but I’m honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a “bad phone number”. This happened on discord where I’m locked out of certain servers because I can’t do phone verification, and I can’t do it because discord doesn’t like my phone number. Twitter was the same way for a long while (couldn’t do 2fa/phone verification due to them not liking my number).
From the article it sounds like they’re doing authenticator app or sms. I’m guessing sms won’t work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft… no google?
Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we’re gonna have to have 30 different authenticator apps on our phone?
Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?
you… don’t?
Both of these implement exactly the same protocol (TOTP). Used authy for all my
Top Of The PopsTime-based one-time password needs exclusively, before moving everything to bitwardenAnyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security
there’s quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.
deleted by creator
I personally am afraid of this. What if something gets botched? I’ll be permanently locked out of my account!
I’d prefer me getting permanently locked out over someone who isnt me getting allowed in. Even more so to services which have my credit card number.
But unlikely anyway, as long as I save my pass and 2fa to a password manager, and keep the backup codes backed up.
Print off your recovery codes and keep them safe. If you want to be extra, hammer them into metal plates like the crypto weirdos do.
Printing recovery codes would require me to either be price gouged by the printer ink cartel or use someone else’s printer, and using someone else’s printer is begging to get my account stolen.
I have no idea how to hammer things into metal plates, but I’m guessing that’s even more expensive than printer ink.
Just use your pen and paper.
I can do that with alphanumeric codes, yeah, but can I get alphanumeric codes from GitHub, or is it going to be a QR code? I can’t write down a QR code…
QR codes are just an encoding. Just use any half-competent QR code app, and it will give you it’s content, which you can then write down. For the reverse you can use any QR code generator.
How do I feed the generated QR code back to GitHub, then? Can I upload an image of it?
Have you ever used any website with 2FA? You don’t need to upload QR codes.
Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!
Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.
Well negativity is there because every app wants it.
I don’t care if account x is compronised, as it has absolutly no value
I dislike MFA because it creates a risk of losing access to my account. I can back up my passwords; I can’t back up a hardware device.
A hardware device is a physical key. Its no different than backing up your home key. Get two keys and copy them. Keep one on you, and the other in a safe somewhere in case you lose the first.
Hardware tokens are specifically designed to resist copying. Any means of copying it would be considered a security vulnerability.
Bits rot. A hardware token kept in a bank vault may or may not still work when I need it 10 years later, and there is no reasonable process for regularly verifying the integrity of its contents. Backup drives’ checksums are verified with every backup cycle, and so are the checksums on the file system being backed up (I’m using btrfs for that reason).
Hardware tokens are expensive. Mechanical lock keys are not.
Not literally copy, as in have an extra set of keys. A spare key. A bank vault is total overkill. I just bought 2 fido2 keys and register both for the services that support them. Have one on your keychain and another in your desk. 2FA is often way over thought, any adversary needs both factors so something you know and something you own is plenty for most people.
How will I notice when the spare fails, if it’s only a spare and I don’t regularly use it? Then I’m down to only one key, and as any grumpy backup admin will tell you, if you have only one copy of something, you have zero copies.
I would have a key plugged into the computer pretty much all the time when I’m working, so anyone who compromises the computer can impersonate me as long as I’m at work. This would be mildly inconvenient to the attacker, but wouldn’t actually stop the attacker. And if the computer isn’t compromised, how is anyone going to get into my GitHub account even without 2FA? They certainly aren’t going to do it by guessing my 16-character generated password or Ed25519 SSH key.
Something-I-know is worthless for authentication in the age of GPU password cracking. Most humans, including myself, do not have photographic memories with which to memorize cryptographically secure passwords. We’re all using password managers for a reason, and a password database is something you have, not something you know.
2fa should be mandatory everywhere
Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.
Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.
