I wonder how much of the negative connotation in ~every GitHub thread comes from the MS buyout vs the actual topic under discussion. Do people really dislike 2FA on something as important as source hosting?
But it's not important for a lot of people. Lots of people just create the occasional issue or some such. Almost no one is a maintainer of something important.
And overall it's just a hassle that adds zero security for me; I just have the tokens in the password manager next to the passwords (where else do I store it? I just have my laptop).
It's something that should be the user choice, based on how important the account is, personal factors, etc.
I would actually be far more frustrated by mandatory 2FA at login than if my GitHub account were compromised. I use it to star projects, and because you can't code search without being logged in; it's a bottom-tier account for me and 2FA means I'll probably just not bother. Why can't they gate sensitive features behind 2FA?
As an aside, I'm surprised I've never seen an async authentication system whereby PW gets you in, 2FA code is sent, and you can continue accessing the system in a limited way until you submit your 2FA code, instead of sitting on some intermediary page waiting a few minutes for the code to arrive.
2FA is a bigger problem to me than Microsoft. I'm not having electronics on me most of the time.
If i have to log in to Github from somewhere else, i call my landline and have SO read the 2FA code to me. But since this is cumbersome i try to get my stuff done without the Github login.
I do dislike it. I'd take back my only occasional contribution to a project not to be bothered by 2FA and I'm not submitting issues anymore to anything. Basically I'm using github in read only mode without logging in. When another customer of mine will use github I'll be back on it and I'll use 2FA, but at least they'll be paying me for the trouble. All my current customers are on bitbucket.
> Do people really dislike 2FA on something as important as source hosting?
"important" is a per-person individual decision.
A phrase that used to be very common is "mechanism, not policy".
The role of a vendor is supposed to be to enable mechanisms so that customers can implement whichever policy that best fits their needs.
The role of a customer is to choose and implement the policy that best works for them personally, using the mechanisms that the vendor provides.
It is fundamentally wrong for a vendor to impose policy, that's not their job. Nor do they have the information to correctly make that decision.
Some (few) people have important source code in their github account. I'd highly encourage those people to enable 2FA. Most people don't have anything important that anyone else uses, so adding the overhead of 2FA for them is beyond silly and purely obnoxious.
> The role of a vendor is supposed to be to enable mechanisms so that customers can implement whichever policy that best fits their needs.
this is where GitHub isn't a vendor; it's almost a social network as one account getting compromised could potentially cascade through projects. If you want to manage the risk profile that best fits you; you'd localize on GitHub Enterprise or other selfhosting.
Very well put. I work in info sec and I find Githubs 2FA requirement completely obnoxious.
Because you can't use passwords anymore, you have to set up tokens, which are often stored in the clear. It's actually less secure for me than a reasonable password and a lot more hassle to maintain.
Should be a choice I make. I use GitHub a lot less now than I did before, it's a pain to use now. Maybe I'll move to something else that respects my choice and threat model.
But it's not important for a lot of people. Lots of people just create the occasional issue or some such. Almost no one is a maintainer of something important.
And overall it's just a hassle that adds zero security for me; I just have the tokens in the password manager next to the passwords (where else do I store it? I just have my laptop).
It's something that should be the user choice, based on how important the account is, personal factors, etc.