Microsoft :: Github mandating 2FA - What will you do?
-
@jdaviescoates said in Microsoft :: Github mandating 2FA - What will you do?:
2FA code using an authenticator app.
Can you use an authenticator of your choice, or do they require a blob?
Vaultwarden's OTP handling is lovely. Would that suffice? -
2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter. Or, if you find a provider where it does matter, you might want to be concerned.
https://alternativeto.net/software/google-authenticator/?license=opensource
You can also, in many 2FA contexts, use a hardware key.
which have some added benefits (and drawbacks, mostly "it's a thing you can lose). Or
https://www.crowdsupply.com/sutajio-kosagi/precursor
if you really want a serious bit of kit from an open-and-secure perspective.
In short, and with kindness: I think you're searching for a boogeyman where there isn't one. I want 2FA on every account that matters to me, and I especially want stronger authentication frameworks in my software supply chain. I want 2FA on my bank accounts, I want 2FA on my email... really, I want something that goes beyond a single, salted/hashed password everywhere.
I'm not saying you shouldn't want to self-host your code on your own stack, and only use the most libre of free software. However, I think worrying about TOTP/2FA is like worrying about the "forced" transition to HTTPS everywhere. It's actually a good thing, and it isn't a "give us all your information" play. 2FA is a smart thing to do.
That said, I'm not keen on biometrics as a second factor.
-
I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?
-
@humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:
where the "bad" part is about this new requirement?
Its only bad in the eyes of uneducated conspiracy nuts.
-
@fbartels said in Microsoft :: Github mandating 2FA - What will you do?:
uneducated conspiracy nuts
Hey, that's me 99.997% of the time, and even I don't see the bad in having 2FA. I mean Microsoft owning Github is the real red flag.
-
@humptydumpty well as long as you don't think its the deep state that only wants control of the chip in your brain, then there is still hope for you
-
@humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:
I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?
I think part of it comes from a mentality that whenever one of the big players like M$FT do something, there is a hidden agendum behind it, usually something which undermines Free Software and societies that would like to use Free Software for their infrastructure.
If you have watched them long enough, you end up looking at them with an outlook that they are an adversary.
In this case, and I am not familiar with it, my immediate thought was that they are going to use a security excuse to ram through digital identity requirements, for example, by requiring a phone number, which in turn has other requirements.
As it transpires, it seems they do not require a phone... at the moment.. They usually move inch by inch, towards a state like we have in China today.
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
Can you use an authenticator of your choice, or do they require a blob?
Any.
Personally I use FreeOPT+ (only the + version has import/ export)
Vaultwarden's OTP handling is lovely. Would that suffice?
Yes.
-
@jadudm said in Microsoft :: Github mandating 2FA - What will you do?:
2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter.
Exactly. Often sites say "use Google's Authenticator" but in my experience that has never actually meant that you can only use that - any will do. I use FreeOTP+ (only the + version has import/ export).
-
@LoudLemur You don't have to associate your phone number. I use a Yubikey with my Github account, and for TOTP it's just an AuthN app.
You should look up "decentralized identity", "self-sovereign identity", and "verifiable claims" - both are tied in with digital ID and their proponents are explicitly working on them to improve privacy and reduce dependency to have an online identity requiring staying in the good graces of companies like Google or Facebook. Most of the interactions you mention are already ones that require a physical credential, including 'health' certification - I have my vaccine records since birth in a booklet which we would present when applying for visas to certain countries - so I'm not sure why a digital version would inherently be more problematic. A digital identity means that you can allow sharing only the information necessary for a transaction and nothing more (i.e, your digital ID shows your picture and a box that says "legal drinking age" to the bouncer or bartender - not your address, birthday, name, etc.)
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.
I recommend this one Aegis Free and Open Source and available from F-Droid.
-
@robi said in Microsoft :: Github mandating 2FA - What will you do?:
IMO they will lose a lot of people following these restrictions.
Why do you think so? 2FA is actually something VERY secure. So much, that I'd have time to figure out how to pierce such protection. It might be F....ng hard!
The intentions behind it are less than honorable.
It's always the case with microsh.t in all they do anyway, however 2FA with TOTP will not identify you personally and it's powerful.