Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Microsoft :: Github mandating 2FA - What will you do?

Microsoft :: Github mandating 2FA - What will you do?

Scheduled Pinned Locked Moved Discuss
21 Posts 10 Posters 3.0k Views 10 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #1

    IMO they will lose a lot of people following these restrictions.

    The intentions behind it are less than honorable.

    Conscious tech

    L micmcM 2 Replies Last reply
    2
    • robiR robi

      IMO they will lose a lot of people following these restrictions.

      The intentions behind it are less than honorable.

      L Offline
      L Offline
      LoudLemur
      wrote on last edited by LoudLemur
      #2

      @robi , thanks.

      What they want is a dystopic, technological surveillance-state, where nobody can say or do anything without digital permit.

      Which would be the best Free alternative to Github at the moment? Currently, Cloudron requires a Github listing for an application to be packaged.

      Codeberg? Gitlab?

      girishG necrevistonnezrN 2 Replies Last reply
      0
      • jadudmJ Offline
        jadudmJ Offline
        jadudm
        wrote on last edited by
        #3

        Are you referencing this?

        https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/

        Why would 2FA requirements drive developers away from using a code hosting platform?

        I use Cloudron on a Dell 7040 I bought on eBay.

        robiR 1 Reply Last reply
        1
        • L LoudLemur

          @robi , thanks.

          What they want is a dystopic, technological surveillance-state, where nobody can say or do anything without digital permit.

          Which would be the best Free alternative to Github at the moment? Currently, Cloudron requires a Github listing for an application to be packaged.

          Codeberg? Gitlab?

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #4

          @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

          Currently, Cloudron requires a Github listing for an application to be packaged.

          This is not true. We already have a few apps like baserow, jirafeu etc from GitLab. Not to mention minecraft, emby, ctfreak etc which are not listed anywhere.

          L 1 Reply Last reply
          3
          • jadudmJ jadudm

            Are you referencing this?

            https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/

            Why would 2FA requirements drive developers away from using a code hosting platform?

            robiR Offline
            robiR Offline
            robi
            wrote on last edited by
            #5

            @jadudm if you have an account on GH, you've been receiving threatening emails about loss of access if you don't do as they say.

            Conscious tech

            1 Reply Last reply
            0
            • girishG girish

              @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

              Currently, Cloudron requires a Github listing for an application to be packaged.

              This is not true. We already have a few apps like baserow, jirafeu etc from GitLab. Not to mention minecraft, emby, ctfreak etc which are not listed anywhere.

              L Offline
              L Offline
              LoudLemur
              wrote on last edited by
              #6

              @girish said in Microsoft :: Github mandating 2FA - What will you do?:

              This is not true.

              Thanks. I am glad of that. I had thought it was a requirement.

              1 Reply Last reply
              0
              • L LoudLemur

                @robi , thanks.

                What they want is a dystopic, technological surveillance-state, where nobody can say or do anything without digital permit.

                Which would be the best Free alternative to Github at the moment? Currently, Cloudron requires a Github listing for an application to be packaged.

                Codeberg? Gitlab?

                necrevistonnezrN Offline
                necrevistonnezrN Offline
                necrevistonnezr
                wrote on last edited by
                #7

                @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

                @robi , thanks.

                What they want is a dystopic, technological surveillance-state, where nobody can say or do anything without digital permit.

                Errrr, sure 👻
                Or they try to do everything in their (limited) power to avoid threat actors breaching GitHub accounts and inserting malicious code into repositories by disguising themselves as the Dependabot tool (there have been several campaigns like this) - which by the way is also a question of liability for Microsoft. I work in an IT-company and you won’t believe how many customers disregard basic safety features like MFA.
                And with GDPR, you have certain responsibilities as a service provider to push your customer to implement such features (or to decline service if they don‘t), with more specific legislation on the way.
                And also BTW: Microsoft Authenticator is great - unlike „normal“ or „passive“ OTP (where it just generates numbers as a 2nd factor), you receive a push every time someone tries to access the secured account. This improves security a lot.

                1 Reply Last reply
                2
                • L Offline
                  L Offline
                  LoudLemur
                  wrote on last edited by
                  #8

                  Good to hear, @necrevistonnezr
                  Does their 2FA require a phone number? I suspect it will. Internet users are being herded towards on online digital ID, where "The Powers That Shouldn't Be" know precisely who exists where and at what time online. This online digital ID will seamless integrate with offline digital passports, which will be required for mandatory government interactions, travel, 'health' certification and participation in the economy.

                  Most people seem to be quite OK with this and find nothing sinister about it. They design it to be convenient to get the masses involved. Once in the net, it is difficult to escape. Take a look at China's Social Credit Score system, the mandatory government spyware on devices. They want that in every country.

                  The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.

                  If M$FT do not require one, I will be surprised.

                  jdaviescoatesJ brerlapnB micmcM 3 Replies Last reply
                  0
                  • L LoudLemur

                    Good to hear, @necrevistonnezr
                    Does their 2FA require a phone number? I suspect it will. Internet users are being herded towards on online digital ID, where "The Powers That Shouldn't Be" know precisely who exists where and at what time online. This online digital ID will seamless integrate with offline digital passports, which will be required for mandatory government interactions, travel, 'health' certification and participation in the economy.

                    Most people seem to be quite OK with this and find nothing sinister about it. They design it to be convenient to get the masses involved. Once in the net, it is difficult to escape. Take a look at China's Social Credit Score system, the mandatory government spyware on devices. They want that in every country.

                    The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.

                    If M$FT do not require one, I will be surprised.

                    jdaviescoatesJ Offline
                    jdaviescoatesJ Offline
                    jdaviescoates
                    wrote on last edited by
                    #9

                    @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

                    Does their 2FA require a phone number? I suspect it will.

                    No, just setting up a 2FA code using an authenticator app.

                    I use Cloudron with Gandi & Hetzner

                    L 1 Reply Last reply
                    2
                    • jdaviescoatesJ jdaviescoates

                      @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

                      Does their 2FA require a phone number? I suspect it will.

                      No, just setting up a 2FA code using an authenticator app.

                      L Offline
                      L Offline
                      LoudLemur
                      wrote on last edited by
                      #10

                      @jdaviescoates said in Microsoft :: Github mandating 2FA - What will you do?:

                      2FA code using an authenticator app.

                      Can you use an authenticator of your choice, or do they require a blob?
                      Vaultwarden's OTP handling is lovely. Would that suffice?

                      jdaviescoatesJ 1 Reply Last reply
                      0
                      • jadudmJ Offline
                        jadudmJ Offline
                        jadudm
                        wrote on last edited by
                        #11

                        2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter. Or, if you find a provider where it does matter, you might want to be concerned.

                        https://alternativeto.net/software/google-authenticator/?license=opensource

                        You can also, in many 2FA contexts, use a hardware key.

                        https://www.yubico.com/

                        which have some added benefits (and drawbacks, mostly "it's a thing you can lose). Or

                        https://www.crowdsupply.com/sutajio-kosagi/precursor

                        if you really want a serious bit of kit from an open-and-secure perspective.

                        In short, and with kindness: I think you're searching for a boogeyman where there isn't one. I want 2FA on every account that matters to me, and I especially want stronger authentication frameworks in my software supply chain. I want 2FA on my bank accounts, I want 2FA on my email... really, I want something that goes beyond a single, salted/hashed password everywhere.

                        I'm not saying you shouldn't want to self-host your code on your own stack, and only use the most libre of free software. However, I think worrying about TOTP/2FA is like worrying about the "forced" transition to HTTPS everywhere. It's actually a good thing, and it isn't a "give us all your information" play. 2FA is a smart thing to do.

                        That said, I'm not keen on biometrics as a second factor.

                        I use Cloudron on a Dell 7040 I bought on eBay.

                        jdaviescoatesJ 1 Reply Last reply
                        4
                        • humptydumptyH Offline
                          humptydumptyH Offline
                          humptydumpty
                          wrote on last edited by
                          #12

                          I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?

                          fbartelsF L 2 Replies Last reply
                          4
                          • humptydumptyH humptydumpty

                            I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?

                            fbartelsF Offline
                            fbartelsF Offline
                            fbartels
                            App Dev
                            wrote on last edited by
                            #13

                            @humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:

                            where the "bad" part is about this new requirement?

                            Its only bad in the eyes of uneducated conspiracy nuts.

                            humptydumptyH 1 Reply Last reply
                            5
                            • fbartelsF fbartels

                              @humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:

                              where the "bad" part is about this new requirement?

                              Its only bad in the eyes of uneducated conspiracy nuts.

                              humptydumptyH Offline
                              humptydumptyH Offline
                              humptydumpty
                              wrote on last edited by
                              #14

                              @fbartels said in Microsoft :: Github mandating 2FA - What will you do?:

                              uneducated conspiracy nuts

                              Hey, that's me 99.997% of the time, and even I don't see the bad in having 2FA. I mean Microsoft owning Github is the real red flag.

                              fbartelsF 1 Reply Last reply
                              4
                              • humptydumptyH humptydumpty

                                @fbartels said in Microsoft :: Github mandating 2FA - What will you do?:

                                uneducated conspiracy nuts

                                Hey, that's me 99.997% of the time, and even I don't see the bad in having 2FA. I mean Microsoft owning Github is the real red flag.

                                fbartelsF Offline
                                fbartelsF Offline
                                fbartels
                                App Dev
                                wrote on last edited by
                                #15

                                @humptydumpty well as long as you don't think its the deep state that only wants control of the chip in your brain, then there is still hope for you 😅

                                1 Reply Last reply
                                2
                                • humptydumptyH humptydumpty

                                  I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?

                                  L Offline
                                  L Offline
                                  LoudLemur
                                  wrote on last edited by
                                  #16

                                  @humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:

                                  I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?

                                  I think part of it comes from a mentality that whenever one of the big players like M$FT do something, there is a hidden agendum behind it, usually something which undermines Free Software and societies that would like to use Free Software for their infrastructure.

                                  If you have watched them long enough, you end up looking at them with an outlook that they are an adversary.

                                  In this case, and I am not familiar with it, my immediate thought was that they are going to use a security excuse to ram through digital identity requirements, for example, by requiring a phone number, which in turn has other requirements.

                                  As it transpires, it seems they do not require a phone... at the moment.. They usually move inch by inch, towards a state like we have in China today.

                                  1 Reply Last reply
                                  1
                                  • L LoudLemur

                                    @jdaviescoates said in Microsoft :: Github mandating 2FA - What will you do?:

                                    2FA code using an authenticator app.

                                    Can you use an authenticator of your choice, or do they require a blob?
                                    Vaultwarden's OTP handling is lovely. Would that suffice?

                                    jdaviescoatesJ Offline
                                    jdaviescoatesJ Offline
                                    jdaviescoates
                                    wrote on last edited by
                                    #17

                                    @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

                                    Can you use an authenticator of your choice, or do they require a blob?

                                    Any.

                                    Personally I use FreeOPT+ (only the + version has import/ export)

                                    Vaultwarden's OTP handling is lovely. Would that suffice?

                                    Yes.

                                    I use Cloudron with Gandi & Hetzner

                                    1 Reply Last reply
                                    2
                                    • jadudmJ jadudm

                                      2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter. Or, if you find a provider where it does matter, you might want to be concerned.

                                      https://alternativeto.net/software/google-authenticator/?license=opensource

                                      You can also, in many 2FA contexts, use a hardware key.

                                      https://www.yubico.com/

                                      which have some added benefits (and drawbacks, mostly "it's a thing you can lose). Or

                                      https://www.crowdsupply.com/sutajio-kosagi/precursor

                                      if you really want a serious bit of kit from an open-and-secure perspective.

                                      In short, and with kindness: I think you're searching for a boogeyman where there isn't one. I want 2FA on every account that matters to me, and I especially want stronger authentication frameworks in my software supply chain. I want 2FA on my bank accounts, I want 2FA on my email... really, I want something that goes beyond a single, salted/hashed password everywhere.

                                      I'm not saying you shouldn't want to self-host your code on your own stack, and only use the most libre of free software. However, I think worrying about TOTP/2FA is like worrying about the "forced" transition to HTTPS everywhere. It's actually a good thing, and it isn't a "give us all your information" play. 2FA is a smart thing to do.

                                      That said, I'm not keen on biometrics as a second factor.

                                      jdaviescoatesJ Offline
                                      jdaviescoatesJ Offline
                                      jdaviescoates
                                      wrote on last edited by
                                      #18

                                      @jadudm said in Microsoft :: Github mandating 2FA - What will you do?:

                                      2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter.

                                      Exactly. Often sites say "use Google's Authenticator" but in my experience that has never actually meant that you can only use that - any will do. I use FreeOTP+ (only the + version has import/ export).

                                      I use Cloudron with Gandi & Hetzner

                                      1 Reply Last reply
                                      0
                                      • L LoudLemur

                                        Good to hear, @necrevistonnezr
                                        Does their 2FA require a phone number? I suspect it will. Internet users are being herded towards on online digital ID, where "The Powers That Shouldn't Be" know precisely who exists where and at what time online. This online digital ID will seamless integrate with offline digital passports, which will be required for mandatory government interactions, travel, 'health' certification and participation in the economy.

                                        Most people seem to be quite OK with this and find nothing sinister about it. They design it to be convenient to get the masses involved. Once in the net, it is difficult to escape. Take a look at China's Social Credit Score system, the mandatory government spyware on devices. They want that in every country.

                                        The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.

                                        If M$FT do not require one, I will be surprised.

                                        brerlapnB Offline
                                        brerlapnB Offline
                                        brerlapn
                                        wrote on last edited by
                                        #19

                                        @LoudLemur You don't have to associate your phone number. I use a Yubikey with my Github account, and for TOTP it's just an AuthN app.

                                        You should look up "decentralized identity", "self-sovereign identity", and "verifiable claims" - both are tied in with digital ID and their proponents are explicitly working on them to improve privacy and reduce dependency to have an online identity requiring staying in the good graces of companies like Google or Facebook. Most of the interactions you mention are already ones that require a physical credential, including 'health' certification - I have my vaccine records since birth in a booklet which we would present when applying for visas to certain countries - so I'm not sure why a digital version would inherently be more problematic. A digital identity means that you can allow sharing only the information necessary for a transaction and nothing more (i.e, your digital ID shows your picture and a box that says "legal drinking age" to the bouncer or bartender - not your address, birthday, name, etc.)

                                        1 Reply Last reply
                                        2
                                        • L LoudLemur

                                          Good to hear, @necrevistonnezr
                                          Does their 2FA require a phone number? I suspect it will. Internet users are being herded towards on online digital ID, where "The Powers That Shouldn't Be" know precisely who exists where and at what time online. This online digital ID will seamless integrate with offline digital passports, which will be required for mandatory government interactions, travel, 'health' certification and participation in the economy.

                                          Most people seem to be quite OK with this and find nothing sinister about it. They design it to be convenient to get the masses involved. Once in the net, it is difficult to escape. Take a look at China's Social Credit Score system, the mandatory government spyware on devices. They want that in every country.

                                          The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.

                                          If M$FT do not require one, I will be surprised.

                                          micmcM Offline
                                          micmcM Offline
                                          micmc
                                          wrote on last edited by
                                          #20

                                          @LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:

                                          The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.

                                          I recommend this one Aegis Free and Open Source and available from F-Droid.

                                          Ignorance is not an excuse anymore!
                                          https://AutomateKit.com

                                          1 Reply Last reply
                                          2
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search