I don’t think so. Enforcing two-factor auth to be allowed to do certain things with an account just makes sense. It’s definitely not an attempt to squeeze profit out of users per se, but rather an attempt to limit liability and the risk of costly support problems caused by passwords being compromised.
I think it’s even more important with contributors of large projects and libraries used by a vast amount of software out there.
It’s not inconceivable that someone’s account gets hijacked, and someone uses their trusted account to add a small snippet of malicious code in a commit, enabling a supply-chain attack.
Sorry but what’s the problem? Just use a TOTP authenticator, they work completely offline and are even more secure than SMS 2FA. For Android I would recommend Aegis.
Is it requiring a cell for being the 2fa piece? I don’t use GitHub but I’d be surprised if they did. There’s been plenty of options for a while now. Email, authenticators, u2f keys. You should be able to enable 2fa that will use the same data you’re using to access GitHub.
Was going to suggest this. Github even has native support for them so you just plug it in and touch the gold pad for your second form. Even easier than a TOTP code.
Could Authy be of use for you perhaps? It seems like they have a desktop app, although I have no personal experience with it. Alternatively, GitHub supports the use of Security Keys which are physical devices that you can purchase for 2FA purposes, Yubico works great in my experience but there are other manufacturers, or even DIY solutions.
I’ve had 3 jobs in a row require Duo and all 3 were companies that invested heavily into being remote/hybrid and are based in farm communities. I don’t think 2FA is going to be a problem for you unless you make it a problem for you
Which part of this is infuriating you? The fact that a message is popping up or what it’s asking you to do? Or is it the fact that it’s all in comic sans? Honestly, 2FA is a really simple way to greatly improve security on your account. I’m no expert, so maybe it’s got major flaws that I don’t know about, but just set it up really quick and choose to remember your device. Now you’ll never need to worry about it and you won’t see this message
I’ve had numerous accounts of people getting my password through a breach or something and 2fa being the only thing that stopped them from getting into my account. On GitHub that’s my strongest logins, don’t know why anyone would be against securing their code
Unless you use a VPN/browser security addons (don't know which breaks it). The "register your device" has never stuck for me. But it's not a big deal even then, just another step as long as there are a few options to choose in case one method isn't possible at the time. The "are you a robot" ones though...I really need to get a bot to solve the ones that still pop up for me (definitely VPN).
I think what’s infuriating me is that it’s an inconvenience that’s being paternalisticly imposed on me. That’s what makes it feel like enshittification. I don’t really care that much about the security of my account, and having to find my phone and wait for an app to open is just a hassle that I’d prefer to avoid. The fact that they unilaterally decided what ought to be best for me is what annoys me I guess.
This really isn’t enshittification. Things are not being made worse just to drive someone else’s profit. There isn’t the big fido2 key lobby pushing this in the background. This is a security measure to improve security on a highly technical website that is the target of lots of attacks.
Its annoying and inconvenient, sure, but not making a service worse to drive profit.
lemmy.ml
Hot