GitHub to require 2FA
Sigh. Does anyone have a suggestion for an open source 2FA (TOTP) tool that works on iPhone and doesn't leak information to Google or Microsoft or the other usual suspects?
GitHub to require two factor authentication for code contributors by late 2023
GitHub has announced that it will require two factor authentication for users who contribute code on its service."The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."
Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.
Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages.
GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.
Why the rest have until sometime in 2023 to adopt 2FA isn't explained in Hanley's post, beyond his assertion that "GitHub is committed to making sure that strong account security doesn't come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this."
The post also states that GitHub will "actively explore new ways of securely authenticating users" and add more ways to recover accounts.
"Improvements that help prevent and recover from account compromise" are also on the agenda.
Hanley's post states that details of GitHub's 2FA implementation will emerge in "coming months". ®
Retrieved 2022-05-05: https://www.theregister.com/2022/05/05/github_2fa_mandatory_2023/
Friendica Developers reshared this.
Matthew Exon
Unknown parent • •Friendica Developers reshared this.
Bitwarden
Unknown parent • • •Friendica Developers reshared this.
Matthew Exon
in reply to Bitwarden • •Friendica Developers reshared this.
Paul Wilde :blobcatnim_new: :dontpanic_nobg:
in reply to Bitwarden • • •I'm happy to listen to arguments on the contrary, but for me right now that option isn't a good idea.
Friendica Developers reshared this.
Bitwarden
in reply to Paul Wilde :blobcatnim_new: :dontpanic_nobg: • • •In this case, anyone in a Bitwarden organization with access to the shared collection/item can just hit the paste shortcut after auto-filling as the code gets copied to the clipboard (unless disabled in settings).
Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Friendica Developers reshared this.
Bitwarden
in reply to Matthew Exon • • •Matthew Exon likes this.
Friendica Developers reshared this.
Paul Wilde :blobcatnim_new: :dontpanic_nobg:
in reply to Bitwarden • • •Having TOTP in your password manager removes the idea of “2FA”, ultimately in my opinion, making it 1FA
Friendica Developers reshared this.
Bitwarden
in reply to Paul Wilde :blobcatnim_new: :dontpanic_nobg: • • •Vault Items | Bitwarden Help & Support
bitwarden.comFriendica Developers reshared this.
Latte macchiato :blobcoffee: :ablobcat_longlong:
in reply to Paul Wilde :blobcatnim_new: :dontpanic_nobg: • • •Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Friendica Developers reshared this.
Paul Wilde :blobcatnim_new: :dontpanic_nobg:
in reply to Latte macchiato :blobcoffee: :ablobcat_longlong: • • •Maybe separate master passwords and TOTP passwords are the answer here? So at least both are protected independently, but even then I don't like it.
Besides, bitwarden should be secured itself via 2FA anyway, and it would be pretty silly to store that TOTP code in bitwarden so a user would need another app anyway 😁
Friendica Developers reshared this.
Matthew Exon
in reply to Latte macchiato :blobcoffee: :ablobcat_longlong: • •In this case I just want to log into a github account so I can give away code for free. What am I defending here? What I want is 1FA and all of this bullshit to just go away. Microsoft now says that's not good enough, I need to jump through their 2FA hoop. I'm looking for a way to cut the bottom off that hoop.
Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Friendica Developers reshared this.
Latte macchiato :blobcoffee: :ablobcat_longlong:
in reply to Paul Wilde :blobcatnim_new: :dontpanic_nobg: • • •If it gets people to finally use MFA at all, I'm happy.
My vault is locked behind Yubikey-only authentication, so I see no issue with storing TOTP for sites that don't support hardware keys in the Vault. 'course there's the factor of potential malware though, so a seperate TOTP password would be a neat feature.
Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Latte macchiato :blobcoffee: :ablobcat_longlong:
in reply to Matthew Exon • • •You really should look into the Yubikeys you can plug into an USB port and just keep in there. Enter your password, gently touch the key and you're in. It's the logical evolution of MFA.
Friendica Developers reshared this.
Bitwarden
in reply to Latte macchiato :blobcoffee: :ablobcat_longlong: • • •Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Friendica Developers reshared this.
Matthew Exon
in reply to Latte macchiato :blobcoffee: :ablobcat_longlong: • •Latte macchiato :blobcoffee: :ablobcat_longlong: likes this.
Friendica Developers reshared this.
Paul Wilde :blobcatnim_new: :dontpanic_nobg:
in reply to Bitwarden • • •At least then we've done everything we can do to separate out the security. If a user decides to use the same password on both then that's not our problem anymore
Bitwarden
in reply to Matthew Exon • • •Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Friendica Developers reshared this.
Matthew Exon
Unknown parent • •Paul Wilde :blobcatnim_new: :dontpanic_nobg: likes this.
Friendica Developers reshared this.
Bitwarden
Unknown parent • • •Matthew Exon likes this.
Friendica Developers reshared this.
Matthew Exon
in reply to Bitwarden • •Bitwarden likes this.
Friendica Developers reshared this.
Hypolite Petovan
in reply to Matthew Exon • • •https://apps.apple.com/us/app/keepassium-keepass-passwords/id1435127111
https://apps.apple.com/us/app/authenticator/id766157276
Friendica Developers reshared this.
glenn
in reply to Matthew Exon • • •If you are looking for a simple, open-source TOTP app, there is always FreeOTP: https://freeotp.github.io/
It has iOS and Android versions.
FreeOTP
freeotp.github.ioFriendica Developers reshared this.