Is it just me or does this also feel like enshittification? They just keep getting in my way

0x2d , 8 months ago

comic sans

SubArcticTundra OP , 8 months ago

Coding instantly feels more fun

0x2d , 8 months ago

comic code

Kolanaki , 10 months ago

2FA is enshittification now?

I mean… I guess in a way it is a symptom of it, if you consider the growing concern of hacking part of enshittification and this, a method of stopping or at least slowing an attack down, being a product of that.

It’s more of an anti-enshittification device that just comes with a slight bit of shittiness in the form of another step to logging in.

SubArcticTundra OP , 10 months ago

Yeah, it just winds me up when sites impose these bits of shittiness on you without allowing you to opt out. Because I was happy to sacrifice a bit of my account’s security for convenience

ignotum , 10 months ago

Keepass (open source password manager) can auto-fill not just username and password, but also generate and fill in one-time codes

Reduces the security the 2FA provides, but after i started using that it was pretty much zero extra effort to log in

planish , 10 months ago

It isn’t enshitification in the sense of trying to make the platform make money, but it is throwing up new roadblocks in the way of using the platform. It makes it harder to just show up, register, and post code. It creates multiple tiers of users who have different privileges on the platform. And from here it would be easier to move to, with some of the same justifications, some sort of requirement to pay for code hosting.

hanna , 10 months ago

I was more annoyed at the ssh key requirement lol, I know it’s more secure etc etc but im not working on anything sensitive, it’s just annoying

SubArcticTundra OP , 10 months ago

Yeah exactly, this is what I mean. I still haven’t figured out how to set that up so I have to paste the key in from my password manager every time I want to push. I hate when they paternalisticly decide what ought to be best for me

jet , 10 months ago

Not sensitive for you. But GitHub has started to look at supply chain attacks. So I’m popular module which isn’t very sensitive is used biological projects that are. The account that maintains the module is exploited and that causes lots of havoc

lemann , 10 months ago

Please make a U-turn at the next junction and follow all signs to !unpopularopinion

SubArcticTundra OP , 10 months ago

I was actually considering posting it there at first. Would have fitted there better it seems

Spliffman1 , 10 months ago

This is not enshitification in any way, shape or form

cooopsspace , 10 months ago

/thread

solidgrue , 10 months ago

2FA on a major code supply chain is the antithesis of enshitification.

bilb , 10 months ago

I don’t think so. Enforcing two-factor auth to be allowed to do certain things with an account just makes sense. It’s definitely not an attempt to squeeze profit out of users per se, but rather an attempt to limit liability and the risk of costly support problems caused by passwords being compromised.

mp3 , 10 months ago

I think it’s even more important with contributors of large projects and libraries used by a vast amount of software out there.

It’s not inconceivable that someone’s account gets hijacked, and someone uses their trusted account to add a small snippet of malicious code in a commit, enabling a supply-chain attack.

despotic_machine , 10 months ago

deleted_by_author

ScaredDuck , 10 months ago

Sorry but what’s the problem? Just use a TOTP authenticator, they work completely offline and are even more secure than SMS 2FA. For Android I would recommend Aegis.

despotic_machine , 10 months ago

deleted_by_author

jet , 10 months ago

you can use totp on your computer, bitwarden does it just fine from the desktop

ScaredDuck , 10 months ago

For a completely offline solution KeepassXC also can do TOTP.

Underuse3862 , 10 months ago

Yubikey is another offline option. It also has a TOTP app that runs on Windows/Mac/Linux for anything that doesn't support security keys.

pgetsos , 10 months ago

There are many options for a PC application as well

Doug , 10 months ago

Is it requiring a cell for being the 2fa piece? I don’t use GitHub but I’d be surprised if they did. There’s been plenty of options for a while now. Email, authenticators, u2f keys. You should be able to enable 2fa that will use the same data you’re using to access GitHub.

despotic_machine , 10 months ago

deleted_by_author

jet , 10 months ago

you can get a google voice number and use it on your computer.

You can get a fido physical key, then you don’t need email or sms at all.

breadsmasher , 10 months ago

use an authenticator app?

despotic_machine , 10 months ago

deleted_by_author

breadsmasher , 10 months ago

What about something like a YubiKey?

0110010001100010 , 10 months ago

Was going to suggest this. Github even has native support for them so you just plug it in and touch the gold pad for your second form. Even easier than a TOTP code.

auxim , 10 months ago

Could Authy be of use for you perhaps? It seems like they have a desktop app, although I have no personal experience with it. Alternatively, GitHub supports the use of Security Keys which are physical devices that you can purchase for 2FA purposes, Yubico works great in my experience but there are other manufacturers, or even DIY solutions.

lemann , 10 months ago

If you use Linux by any chance, there’s a totp Authenticator app on Flathub.

There also might be an Authenticator app available for Windows too but I haven’t looked into any for it

roadkill , 10 months ago

deleted_by_author

cooopsspace , 10 months ago

Perfect candidate for a Ubikey, you get mail right? Buy two. One for the safe.

Trainguyrom , 10 months ago

I’ve had 3 jobs in a row require Duo and all 3 were companies that invested heavily into being remote/hybrid and are based in farm communities. I don’t think 2FA is going to be a problem for you unless you make it a problem for you

pikasaurX4 , 10 months ago

Which part of this is infuriating you? The fact that a message is popping up or what it’s asking you to do? Or is it the fact that it’s all in comic sans? Honestly, 2FA is a really simple way to greatly improve security on your account. I’m no expert, so maybe it’s got major flaws that I don’t know about, but just set it up really quick and choose to remember your device. Now you’ll never need to worry about it and you won’t see this message

scrubbles , 10 months ago

I’ve had numerous accounts of people getting my password through a breach or something and 2fa being the only thing that stopped them from getting into my account. On GitHub that’s my strongest logins, don’t know why anyone would be against securing their code

Rhaedas , 10 months ago

Unless you use a VPN/browser security addons (don't know which breaks it). The "register your device" has never stuck for me. But it's not a big deal even then, just another step as long as there are a few options to choose in case one method isn't possible at the time. The "are you a robot" ones though...I really need to get a bot to solve the ones that still pop up for me (definitely VPN).

SubArcticTundra OP , 10 months ago

Hmm that’s true, I suppose it only needs to happen every time you log in on a new device

SubArcticTundra OP , 10 months ago

I think what’s infuriating me is that it’s an inconvenience that’s being paternalisticly imposed on me. That’s what makes it feel like enshittification. I don’t really care that much about the security of my account, and having to find my phone and wait for an app to open is just a hassle that I’d prefer to avoid. The fact that they unilaterally decided what ought to be best for me is what annoys me I guess.

jet , 10 months ago

This really isn’t enshittification. Things are not being made worse just to drive someone else’s profit. There isn’t the big fido2 key lobby pushing this in the background. This is a security measure to improve security on a highly technical website that is the target of lots of attacks.

Its annoying and inconvenient, sure, but not making a service worse to drive profit.

Doug , 10 months ago

Lot of comments here with single down votes. I wonder how salty op is

jet , 10 months ago

Dead Sea levels…

Microsoft / Github do a ton of shitty things, straight up enshittification textbook stuff… spoiled for choice really… just not 2fa.