[mdb31]

Well, given that Github today doesn't seem to support meaningful 2FA (only TOTP and SMS), wouldn't it be good to fix that issue before starting to talk about requirements like these?

Maybe it's just my account, but I can't currently enroll my hardware token with Github in any way whatsoever.

Sure, they offer some 1.5FA, but why would I bother with that?

[einichi]

They let you enroll a hardware token after you enable either a TOTP or SMS 2FA method. No idea why, seems to defeat the point of the additional security that a hardware token offers.

[procombo]

Authenticator apps, and SMS help them derive you have identity -- which is more secure for them and you. Hardware token via WebAuthn (etc) is only more secure for you.

When they say "for the sake of security" they mean for them too.

There's a reason they want you to verify using one of the first two methods first.

[dns_snek]

> Authenticator apps, and SMS help them derive you have identity

How do they do that?

TOTP (i.e. authenticator apps) is a simple algorithm where the value is derived from a secret key and current time. It certainly doesn't verify anything about you.

[anticensor]

By making the initial TOTP secret different for everyone.

[ProZsolt]

I use FIDO U2F since 2015.

I got my Yubikey from Github for $5 https://github.blog/2015-10-01-github-supports-universal-2nd...

[mdb31]

Yet, if you go into the "enable 2FA" settings on Github, you only get the option to enable insecure TOTP or SMS.

Apparently, once you do that, you might be able to add proper authentication. But no word on whether that then replaces the obsolete methods you were forced to configure earlier.

But, yes, right on track to enforce 2FA in 2023, I see...

[Nzen]

Github requires [0] the first 2FA mechanism to be totp or sms. Thereafter, you can add a webauthn compatible hardware key.

[0] https://docs.github.com/en/authentication/securing-your-acco...

[roblabla]

Why though? That makes absolutely no sense.

[procombo]

Just technically it makes no sense. WebAuthn is a great technology that addresses many privacy concerns, but once they had an excuse collecting phone numbers they don't want to stop. Even though it's not the most secure method. Google, and many others are the same way.

2FA is often used as an excuse to obtain more PII from people, and to verify your identity, as a whole. Most businesses want to match logins to individuals, not roles. And that's what 2FA provides them.

[deadbunny]

How do they get my phone number from TOTP?

[pc86]

Since when is TOTP obsolete?

[mdb31]

> Since when is TOTP obsolete?

Since about the moment that teams all over the world discovered they could just paste the enrollment QR code (a.k.a. private key) into their wikis, and thereby continue unlimited sharing of their role accounts?

So, I guess 30 seconds after its introduction?

[klaustopher]

U2F has been supported for a while: https://docs.github.com/en/authentication/securing-your-acco...

[mdb31]

Oh, that's lovely UX... "After you configure 2FA, using a time-based one-time password (TOTP) mobile app, or via text message, you can add a security key"

So, after you enable a broken-by-design 1.5FA method, which you don't want, and which will further expose you to account takeovers, you can, possibly configure actual security.

No wonder these guys are raking in the big bucks...

[gkbrk]

I understand the SMS part, but what makes TOTP a not "meaningful" 2FA?

[mdb31]

The TOTP "private key" can be easily cloned. Targeted malware, a database compromise at your app provider that you "securely" sync your settings to, or just a few minutes access to your "authentication" device, will do the trick.

[chipotle_coyote]

> or just a few minutes access to your “authentication” device

Oh, come on. Your “hardware” “authentication” “key” can be stolen in mere seconds by someone with physical access. Clearly, we should dispense with that fake bullshit 2FA and require face-to-face verification. Drive to the GitHub office and let them run a DNA test to confirm your identity, or GTFO, amirite?

[gkbrk]

There is no sync to provider servers on any TOTP implementation I use. Nor does a TOTP implementation need to be an application on a phone. Are you perhaps referring to the Google Authenticator or the Microsoft Authenticator apps when you refer to TOTP?

Manufacturers that sell the "meaningful" 2FA hardware tokens can manufacture and sell duplicate keys, they even provide this as a service when you want backup keys. What makes you think they don't "securely" make a few duplicates themselves?

[mdb31]

> There is no sync to provider servers on any TOTP implementation I use

That's hard to dispute, but will you accept https://guide.duo.com/duo-restore as a counterexample?

> Are you perhaps referring to the Google Authenticator or the Microsoft Authenticator apps when you refer to TOTP

No, I'm referring to the actual RFC 6283 TOTP protocol. Which uses a trivially-cloned single private key. Which is, see the example above, in fact trivially cloned 'for convenience' by at least one widely-used 'enterprise' security solution.

> What makes you think they don't "securely" make a few duplicates themselves?

Since that literally makes no sense if you know how hardware tokens work.

[drdaeman]

This is odd - they sure do support WebAuthn, I've been using a YubiKey for years.