I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn’t password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

  • macniel@feddit.deOP
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I know it can happen, but it sounds very unlikely. That someone who stole your phone has any interest in your github or other accounts. Worth is mostly the device, no?

    • RovingFox@infosec.pub
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don’t know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.

      You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.