Skip Navigation

GitHub 2FA enrollment

I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn't password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

18

You're viewing a single thread.

18 comments
  • More secure. If my phone is stolen, they have full acces to my mailbox but they will look long and hard at my passworded 2FA app.

    • I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?

      • If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don't know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.

        You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.

        • Huh, okay yeah you made your point and I see it now. Thanks :)

You've viewed 18 comments.