[jjav]

> Do people really dislike 2FA on something as important as source hosting?

"important" is a per-person individual decision.

A phrase that used to be very common is "mechanism, not policy".

The role of a vendor is supposed to be to enable mechanisms so that customers can implement whichever policy that best fits their needs.

The role of a customer is to choose and implement the policy that best works for them personally, using the mechanisms that the vendor provides.

It is fundamentally wrong for a vendor to impose policy, that's not their job. Nor do they have the information to correctly make that decision.

Some (few) people have important source code in their github account. I'd highly encourage those people to enable 2FA. Most people don't have anything important that anyone else uses, so adding the overhead of 2FA for them is beyond silly and purely obnoxious.

[w0m]

> The role of a vendor is supposed to be to enable mechanisms so that customers can implement whichever policy that best fits their needs.

this is where GitHub isn't a vendor; it's almost a social network as one account getting compromised could potentially cascade through projects. If you want to manage the risk profile that best fits you; you'd localize on GitHub Enterprise or other selfhosting.

[MattPalmer1086]

Very well put. I work in info sec and I find Githubs 2FA requirement completely obnoxious.

Because you can't use passwords anymore, you have to set up tokens, which are often stored in the clear. It's actually less secure for me than a reasonable password and a lot more hassle to maintain.

Should be a choice I make. I use GitHub a lot less now than I did before, it's a pain to use now. Maybe I'll move to something else that respects my choice and threat model.