Hacker News new | past | comments | ask | show | jobs | submit login

Not the OP, but I am opposed to the forced use of 2FA by GitHub for three reasons:

1) They are my repos. I should get to decide the appropriate level of security.

2) 2FA is often used as a pretext for identity harvesting which are then abused for other purposes.

3) If there is account recovery via email then the whole thing is a charade anyway.




> 2) 2FA is often used as a pretext for identity harvesting which are then abused for other purposes.

Okay, but there are many options, like TOTP code generators, that do not even require the internet to work.

> 3) If there is account recovery via email then the whole thing is a charade anyway.

You can disable all account recovery options in Settings.


Agreed with 2 in general, and it frustrates me endlessly, but github offers & encourages TOTP & U2F authentication which are privacy-preserving.


> They are my repos.

GitHub is not forcing you to use 2FA to store your repos elsewhere. Just to interact with their website.

> I should get to decide the appropriate level of security.

People are really bad at deciding the appropriate level of security.

GitHub hosts a lot of very important projects that have impact in the real world. Forcing people to use the bare minimum to keep that environment relatively secure is probably not a bad idea.

That way when you set your password as "batman123" and are given commit access to some obscure project that is included as a dependency in 1000 other projects, your account is much less likely to be taken over as a means of pushing a malicious commit.


  1) They are my repos. I should get to decide the appropriate level of security.
Can you really say they're yours if you host them on GitHub and it can restrict your access to them for basically any reason?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: