Microsoft :: Github mandating 2FA - What will you do?
-
@robi , thanks.
What they want is a dystopic, technological surveillance-state, where nobody can say or do anything without digital permit.
Which would be the best Free alternative to Github at the moment?
Currently, Cloudron requires a Github listing for an application to be packaged.Codeberg? Gitlab?
-
Are you referencing this?
https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/
Why would 2FA requirements drive developers away from using a code hosting platform?
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
Currently, Cloudron requires a Github listing for an application to be packaged.
This is not true. We already have a few apps like baserow, jirafeu etc from GitLab. Not to mention minecraft, emby, ctfreak etc which are not listed anywhere.
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
@robi , thanks.
What they want is a dystopic, technological surveillance-state, where nobody can say or do anything without digital permit.
Errrr, sure
Or they try to do everything in their (limited) power to avoid threat actors breaching GitHub accounts and inserting malicious code into repositories by disguising themselves as the Dependabot tool (there have been several campaigns like this) - which by the way is also a question of liability for Microsoft. I work in an IT-company and you won’t believe how many customers disregard basic safety features like MFA.
And with GDPR, you have certain responsibilities as a service provider to push your customer to implement such features (or to decline service if they don‘t), with more specific legislation on the way.
And also BTW: Microsoft Authenticator is great - unlike „normal“ or „passive“ OTP (where it just generates numbers as a 2nd factor), you receive a push every time someone tries to access the secured account. This improves security a lot. -
Good to hear, @necrevistonnezr
Does their 2FA require a phone number? I suspect it will. Internet users are being herded towards on online digital ID, where "The Powers That Shouldn't Be" know precisely who exists where and at what time online. This online digital ID will seamless integrate with offline digital passports, which will be required for mandatory government interactions, travel, 'health' certification and participation in the economy.Most people seem to be quite OK with this and find nothing sinister about it. They design it to be convenient to get the masses involved. Once in the net, it is difficult to escape. Take a look at China's Social Credit Score system, the mandatory government spyware on devices. They want that in every country.
The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.
If M$FT do not require one, I will be surprised.
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
Does their 2FA require a phone number? I suspect it will.
No, just setting up a 2FA code using an authenticator app.
-
@jdaviescoates said in Microsoft :: Github mandating 2FA - What will you do?:
2FA code using an authenticator app.
Can you use an authenticator of your choice, or do they require a blob?
Vaultwarden's OTP handling is lovely. Would that suffice? -
2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter. Or, if you find a provider where it does matter, you might want to be concerned.
https://alternativeto.net/software/google-authenticator/?license=opensource
You can also, in many 2FA contexts, use a hardware key.
which have some added benefits (and drawbacks, mostly "it's a thing you can lose). Or
https://www.crowdsupply.com/sutajio-kosagi/precursor
if you really want a serious bit of kit from an open-and-secure perspective.
In short, and with kindness: I think you're searching for a boogeyman where there isn't one. I want 2FA on every account that matters to me, and I especially want stronger authentication frameworks in my software supply chain. I want 2FA on my bank accounts, I want 2FA on my email... really, I want something that goes beyond a single, salted/hashed password everywhere.
I'm not saying you shouldn't want to self-host your code on your own stack, and only use the most libre of free software. However, I think worrying about TOTP/2FA is like worrying about the "forced" transition to HTTPS everywhere. It's actually a good thing, and it isn't a "give us all your information" play. 2FA is a smart thing to do.
That said, I'm not keen on biometrics as a second factor.
-
I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?
-
@humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:
where the "bad" part is about this new requirement?
Its only bad in the eyes of uneducated conspiracy nuts.
-
@fbartels said in Microsoft :: Github mandating 2FA - What will you do?:
uneducated conspiracy nuts
Hey, that's me 99.997% of the time, and even I don't see the bad in having 2FA. I mean Microsoft owning Github is the real red flag.
-
@humptydumpty well as long as you don't think its the deep state that only wants control of the chip in your brain, then there is still hope for you
-
@humptydumpty said in Microsoft :: Github mandating 2FA - What will you do?:
I'm at a loss here. Can someone please explain where the "bad" part is about this new requirement?
I think part of it comes from a mentality that whenever one of the big players like M$FT do something, there is a hidden agendum behind it, usually something which undermines Free Software and societies that would like to use Free Software for their infrastructure.
If you have watched them long enough, you end up looking at them with an outlook that they are an adversary.
In this case, and I am not familiar with it, my immediate thought was that they are going to use a security excuse to ram through digital identity requirements, for example, by requiring a phone number, which in turn has other requirements.
As it transpires, it seems they do not require a phone... at the moment.. They usually move inch by inch, towards a state like we have in China today.
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
Can you use an authenticator of your choice, or do they require a blob?
Any.
Personally I use FreeOPT+ (only the + version has import/ export)
Vaultwarden's OTP handling is lovely. Would that suffice?
Yes.
-
@jadudm said in Microsoft :: Github mandating 2FA - What will you do?:
2FA with authenticator apps are, by-and-large, all using TOTPs (https://en.wikipedia.org/wiki/Time-based_one-time_password), and therefore are effectively standardized. Whether you use Google's Authenticator, Authy, FreeOTP, Keepass, Vaultwarden, or something else, it doesn't matter.
Exactly. Often sites say "use Google's Authenticator" but in my experience that has never actually meant that you can only use that - any will do. I use FreeOTP+ (only the + version has import/ export).
-
@LoudLemur You don't have to associate your phone number. I use a Yubikey with my Github account, and for TOTP it's just an AuthN app.
You should look up "decentralized identity", "self-sovereign identity", and "verifiable claims" - both are tied in with digital ID and their proponents are explicitly working on them to improve privacy and reduce dependency to have an online identity requiring staying in the good graces of companies like Google or Facebook. Most of the interactions you mention are already ones that require a physical credential, including 'health' certification - I have my vaccine records since birth in a booklet which we would present when applying for visas to certain countries - so I'm not sure why a digital version would inherently be more problematic. A digital identity means that you can allow sharing only the information necessary for a transaction and nothing more (i.e, your digital ID shows your picture and a box that says "legal drinking age" to the bouncer or bartender - not your address, birthday, name, etc.)
-
@LoudLemur said in Microsoft :: Github mandating 2FA - What will you do?:
The 2FA that uses OTP like some of the applications on Cloudron is rather pleasant though. No need for a 'phone'.
I recommend this one Aegis Free and Open Source and available from F-Droid.