back to article Shifting to two-factor auth is hard to do. GitHub recommends the long game

Getting people to use multi-factor authentication is surprisingly tough – or unsurprisingly, depending on your opinion of IT users. In any case, GitHub is managing it by playing the long game. The code-sharing shack declared in March that two-factor-auth was pretty much not going to be an avoidable option by the end of the …

  1. Claptrap314 Silver badge

    Meanwhile...

    on the rare occasion when Gmail requires me to do my 2FA thing, the "remember me on this device" box is checked by default...

  2. Claverhouse
    Devil

    Ah Github...

    Those who wanted me to use 2FA with a no longer functional email and refused to let me log-in and change it because the old email was no longer functional.

    1. Bitsminer Silver badge

      Re: Ah Github...

      Ahhh users.

      You didn't print out a copy of the set of one time passwords did you?

      Or even photograph it with your phone?

      Huh.

  3. Anonymous Coward
    Anonymous Coward

    2FA connecting anything to something as insecure as mobile phones is a joke. I wish browsers would just use my SSH public key and be done with it when logging onto sites.

    I also think central certificate authorities are a stone-age concept and am embarrassed that we haven't done better.

    Everything is wrong with the web at this point.

    1. DS999 Silver badge
      Facepalm

      You complain about the insecurity of mobile phones and then want to use a solution involving browsers which are far far less secure than phones?

      For all the security issues regularly fixed in phones the number of actual exploits against them is pretty low - they are almost always targeted attacks or it is some Android app no one has ever heard of that affected a few thousand people in China. There has never been some sort of mass exploit on a phone affecting millions of people even one time, but that's happened with PCs countless times. So unless you are the type of person who would be chosen for a targeted attack on a phone, using an app on your phone (NOT SMS!) as the second factor is quite reasonable. It requires someone be in possession of your phone and be able to unlock it, so even if the 2FA is to a website you're opening in the phone's browser it is secure enough that real world exploit is quite unlikely.

      If you want greater security than that use a separate 2FA device - which could be a second phone with no/minimal connectivity that is used only for 2FA and absolutely nothing else.

      1. Anonymous Coward
        Anonymous Coward

        You talk about phone based 2FA but don't say whether you distinguish between SMS and other phone based methods. As for SMS, you are only relying on the low wage worker at the ATT customer service not to sell you out, which is why it happens - although you are right those are mostly targeted.

        Besides that large numbers of people are phone hacked, have money taken out of their accounts, and haven't got a clue what happened. Their bank tells them it's their fault - a small number of likeable people who are also media savvy get their problem written up in the paper and the bank pays out.

        1. claimed

          I feel like I’m ok at security…. But I always see people talking about SMS like it’s a plaintext password. WHAT is so bad about it?

          People talk about spoofing, ok, but how does stealing an SMS help its 2 factor auth, if you steal the SMS you’ve still only got 1 factor?

          You mention AT&T… how would AT&T know my GitHub username, what can you do with an intercepted SMS without the account that goes with it?

          Am I just being too optimistic - I use a different email for every service, sure they are probably guessable by a determined adversary, but I’m not exactly in the public eye.

          For the average Joe, why isn’t SMS good enough? You still need the password, I can’t reset an account password and username with an SMS alone, surely???

  4. cornetman Silver badge

    I suppose the main issue that I have with the way 2FA is generally implemented is that they all require access to largely the same thing. Either my phone (for a text message) or an email account. If I lose access to one of them, I'm pretty stuffed for all accounts that require that they are available. I consider that a single point (or 2 points) of failure. If my email account gets targeted and I lose access, I potentially lose access to everything else.

    That's not a very comforting situation. Whenever another website starts requiring me to enable 2FA, I feel more vulnerable, not less.

    1. Sora2566 Silver badge

      Attackers do not need access to your phone to intercept your text messages. They just need a convincing story and a phone repair shop that isn't paying attention.

      1. david 12 Silver badge

        We *like* keyfob authentication. Since it is actually a fully-independent second factor, It worked even in China, and it's not compramized by anything that happens on or to your phone.

        Unfortunately, it requires server-side stuff that costs money, so it's fallen out of favor. But if it was offered, I could move all of my users on to that kind of 2FA today.

  5. Anonymous Coward
    Anonymous Coward

    will they still have 100 million users?

    If and when github force me to use 2FA to log in to their site, I'll simply stop visiting their site. Just as I stop visiting any site with a paywall. I wonder what proportion of their users think like me?

    1. retroneo

      Re: will they still have 100 million users?

      It's just too much

  6. Johnb89

    If it worked that would be a good idea

    Back when I used Authy as my 2FA. Later, I changed my preferred 2FA to the github mobile app and removed github from Authy. My settings say that the gibhub app is my preferred 2FA method.

    And yet every time I log in it tells me to check my authenticator app and I have to argue with it to use the github app.

    So if things actually worked as stated people might be happy to use them. No, I haven't opened a ticket for this.

    /rant complete

    1. Johnb89

      Re: If it worked that would be a good idea

      Update, tried to open a ticket. Chatbot/Virtual assistant hell. The classic software concept that 'well there cannot in any way ever be anything wrong with our system, so you, user, are obviously wrong. Please click below to tell us what you are doing wrong.' No way to raise a ticket.

      Bless.

  7. thames Silver badge

    oathtool

    The deadline is end of 2023 now? Last year the absolute final deadline was end of 2022.

    I made some notes on this last year, and based on that their preferred 2FA method is TOTP.

    There is a command line program called "oathtool" which will run on my PC. I can integrate that into my git bash scripts and also add a simple GUI front end via zenity to use for web log-ins.

    For example:

    oathtool --totp 01234567

    Oathtool is in the Ubuntu repositories, and the same probably goes for most mainstream distros. So far as I am aware, the phone app just generates a TOTP key just like oathtool, so there's no need for me to use a phone or other separate hardware.

  8. JimmyPage
    Stop

    Letting perfection be the enemy of progress ?

    2FA isn't perfect by any means. Especially when you have to 2FA into a myriad of accounts every day, like I do.

    However it's better than no 2FA. In much the same way a locked car is better protected than an unlocked on. If bad guys have singled you out, then no security in the world will stop them either just towing your car away, or making you open it with a gun at you - or your lived ones - head.

    Yes, losing your phone can be a PITA. But with Google now clouding up it's authenticator, recovery is as easy as signing in on another device.

    Anyway, folk who have a problem with 2FA - please carry on giving it a swerve and shielding me one step from the bad guys

    1. vtcodger Silver badge

      Re: Letting perfection be the enemy of progress ?

      However it's better than no 2FA.

      Maybe .. in a few cases. But mostly, 2FA seems to be a dubiously necessary PITA if it works at all -- which way too much of the time is simply does not.

  9. This post has been deleted by its author

    1. Sora2566 Silver badge

      Re: Opt-Out

      That's a little callous if a hundred people have dependencies on your code - then it starts looking like a juicy target for a supply-chain attack.

      1. darkrookie28

        Re: Opt-Out

        Kinda on you for using a hobbyist project as a dependency.

        1. Sora2566 Silver badge

          Re: Opt-Out

          Let me tell you a story about an NPM package called 'left-pad'... https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

  10. hayzoos

    weak 2FA

    Is weak 2FA even worth the cons? Lost access to email or phone is a problem. I work in areas without cell services and cannot login when 2FA is only SMS. Implementations are shit. 30 second lifetime of the 2FA code, usually expired by the time it is received. SMS nor email is supposed to be instantaneous nor even quick. Recovery methods that completely circumvent any protection the 2FA provides.

    email is not as insecure as it used to be as generally since connections between clients and servers and server to server tend to be encrypted and additional hops on relays to get from domain to domain are nearly non-existent. SMS on the other hand is relatively immature and has not implemented much in the way of security.

    I have researched the server side of TOTP and there is not that much more work to implement support for an authenticator app if email or SMS delivery of the TOTP has been implemented. Good enough is not good enough and far better does not require far more effort. Even then, poor implementation could still negate the whole.

    I prefer U2F but {whiny voice}"that is just too hard"

    1. Anonymous Coward
      Anonymous Coward

      Re: weak 2FA

      I used to absolutely love having to run down a flight of stairs, stand out in the middle of the pavement in the rain until my phone picked up the 2FA (calling my voicemail often helped), then re-enter the building, run back upstairs, unlock my machine and then type it in (correctly) only to find it had timed out.

  11. JimmyPage

    For such a cornerstone of the industry

    The lack of any standards around passwords and MFA implementations does rather give the impression big business doesn't give a shit.

    At the moment no 2 sites agree on what a decent password is, some like symbols, some 8 characters, some 10, etc etc.

  12. darkrookie28

    No thanks

    My hobby doesn't need this level of security. More of a pain to deal with than any thing.

    Also, looking for a new hobby.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like