[substack]

What happens when a developer can't publish a security update because they don't have 2FA enabled for a popular package? I was almost in this position. I don't have a phone, I don't have 2FA enabled and am not looking to do so. It seems like a 2FA mandate is going to ensure that people lose access to their accounts and won't be able to publish updates at all.

[vladvasiliu]

You don't need a phone to have multi-factor. You presumably have a PC if you're contributing to a package, so you can use a computer-based OTP generator, like Authy.

Sure, if your computer gets owned, it won't help, but it's still much better than nothing and practically free.

[franciscop]

What happens if tomorrow my laptop falls into the pool? Or gets stolen? I know the password of my password manager and my main emails, but for npm with 2FA I would either be:

- Locked out of npm because I don't have the 2FA key anymore

- Recover my 2FA with my email (which totally defeats the point of 2FA)

- Be asked for some gvmt ID to proof who I am (again a no-no)

[vladvasiliu]

Don't you routinely backup your laptop?

In case you don't, you can write down the seeds of the OTPs on a piece of paper. Which you leave at home or at a friend's house or similar. The principle being that you won't lose both your laptop and piece of paper at the same time.

edit: for a "good enough" approach you can probably store your 2FA codes in your password manager, for which you have, presumably, some kind of backup.

[raverbashing]

If your package can't be maintained someone who's willing to use 2FA will fork it and it will eventually be replaced as a dependency

[HHC-Hunter]

Have you guys paid Tim Dillon his Ransom yet?

[stickupkid]

> I don't have a phone

Get a yubikey[0], that way you don't need a phone.

0. https://www.yubico.com/products/

[kla999]

I don't want a yubikey either. Hardware products are notorious for being subverted by agencies, honest companies can be bought by agency shell companies, etc.

I find the recent push by big tech and others to discredit open software solutions like PGP suspicious. Banks push out new apps on a yearly basis, we are supposed to insert USB sticks to contribute to open source. Big tech rarely acts in your best interests.