Github REQUIRES 2FA: What This Means For You? #Linux #YouTube https://youtu.be/WnO3uaatquc
Conversation
Notices
-
Brodie Robertson (brodieonlinux@linuxrocks.online)'s status on Wednesday, 30-Aug-2023 10:01:43 JST 
Brodie Robertson
-
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:01:40 JST 
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux totp doesn't require internet -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:01:41 JST 
Kevin Karhan :verified:
@BrodieOnLinux it means that if #GitHub doesn't support any good #offline - capable #2FA like #iTAN, a lot of folks won't use it at all!
Espechally since they don't support EVERY NATION AND NETWORK nor can one expect to have a dedicaded and secure phone number for that!
-
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:13:26 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux you could also probably use backup / recovery codes in the event that a device is lost. you can also back up the TOTP secret in something like keepassXC and generate tokens right along side your password safe. TOTP will probably outlive an iTAN list and it's a lot easier for someone to store a single secret than a whole list of them. Supporting it would mean more room for vulnerabilities to pop up too as it would have to increase complexity unless they got rid of other MFA methods. -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:13:27 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux it does require one to have a device to run it on tho.
Also nothing prevents them from generating iTAN lists and just request a randomized unused entry from it.
It's not as if they'll require it for every push and every merge of code.
-
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:14:05 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux but if you are annoyed by the requirement then why care if your use aligns with the spirit of the thing? -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:14:06 JST
Kevin Karhan :verified:
@BrodieOnLinux @thatguyoverthere yes but putting #2FA on the same machine is kinda killing the security advantage.
The idea of Two-Factor - Authentification is to prevent someone from creating chaos if they gain access to an account or it's credentials...
-
Brodie Robertson (brodieonlinux@linuxrocks.online)'s status on Wednesday, 30-Aug-2023 10:14:07 JST
Brodie Robertson
@kkarhan @thatguyoverthere You have a computer
Disinformation Purveyor :verified_think: likes this. -
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:23:36 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux to me TOTP seems like a perfectly reasonable solution to multi-factor auth. I agree that if you take it seriously you are generating tokens on a device that is not the one you are logging in with, but you can do that with a phone, a crappy laptop, or even some of the various usb devices. Some will even act as a keyboard.
The thing with iTAN is that you need to maintain a whole list of tokens, and I imagine a responsible implementation would only allow each token to be used once which means you have to keep track of which ones you've used. If anyone sees the list (or takes a photo) they can compromise you a lot easier than if someone sees a time based token that will only work within a small window and never again. Yes some math is involved, but in my opinion it is a better proof of authenticity than a token that was generated some ambiguous time ago. I don't want to have to go to the gun safe every time I have to do something on Github that requires a token. -
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:25:46 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux so do it right and keep things separate. But I still say that a token that is only valid for a small window is definitely going to be more secure than one that is valid for potentially years, and the single secret is easier to protect. -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:25:48 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux because I want #2FA to be actually secure...
And I've yet to see something beat "cold storage in a gun safe rathed to withdatand fires and explosions"...
https://mstdn.social/@kkarhan/110975929326068697 -
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:30:46 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux To me it seems if the issue was really with security, I would imagine you'd already have some form of DFA enabled on your account. I have had TOTP enabled on my account for a while already. Anyway, gitlab is always a thing. Also gitea, and a few others around. I was running gitea last year but I had some hardware problems and haven't had time to fix it. Overall it's a great product IMO.
Honestly if you ask me github ruins git which is kind of designed to be more decentralized. I would rather not use github if it can be avoided, especially now that they are just another microsoft product. -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:30:47 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux
Yeah, it's really a downgrade and sadly not practical for me at all...
https://mstdn.social/@kkarhan/110975953455694385 -
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:33:21 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux > Personally, I do want my shit to be so secure that I can't backdoor it at gunpoint without the ability to commit asset denial towards the attacker...
but you have NO dfa now. Any properly implemented DFA offering is a security improvement. I would argue that TOTP is greater than iTAN as far as security goes, but it seems like a debatable topic. Really with both it comes down to secrets storage, but to me it seems storing a lot more secrets is harder to do, and having to keep track of the used ones seems even more bothersome to me. -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:33:22 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux
Also yes, all #iTAN implementations will cross out all used TANs and the last 2-5 are used to auth a new iTAN sheet...
And the best part of it: those can be perfectly seperated and don't need anything but paper and ink to put them on.
Personally, I do want my shit to be so secure that I can't backdoor it at gunpoint without the ability to commit asset denial towards the attacker...
Call me weird, but I'd be dead for over a decade if I wasn't that cautious...
Disinformation Purveyor :verified_think: likes this. -
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:39:36 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux https://www.hackster.io/news/totp-based-open-hardware-authenticator-powered-by-an-esp32-microcontroller-c770f10008af this looks like an interesting project.
My bank uses totp. Also by asking for more options you have to recognize it becomes much more complex and could lead to vulnerabilities that negate the benefit all together? These fuckers just published their own private keys like less than a year ago. -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:39:37 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux Let's just say that if #Github wants to mandate #2FA they need to make it even more accessible than #git is.
If I can't fit it on an #OS1337 boot floppy and keep it fully airgapped on paper without knowing time and date, it's shit.
If banks accept #iTAN to do million-euro transactions than Github can so too...
https://mstdn.social/@kkarhan/110965679190470398 -
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Wednesday, 30-Aug-2023 10:40:42 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux but if a shoulder surfer gains a time sensitive code they have nothing. If they get a tan they have your code. -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Wednesday, 30-Aug-2023 10:40:43 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux
Just use a pencil or pen to tick out those you used. #ProblemSolved
Sarcasm aside, they also allow and encourage me to store my recovery codes seperately, thus they can also allow me to do the same with #TANs to #2FA, and with #iTAN they mitigate or at least vastly reduce the success rate of shouldersurfers gaining valid TANs...
-
Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Friday, 01-Sep-2023 07:14:09 JST
Disinformation Purveyor :verified_think:
@kkarhan @BrodieOnLinux well I guess just don't use github :shrug: -
Kevin Karhan :verified: (kkarhan@mstdn.social)'s status on Friday, 01-Sep-2023 07:14:10 JST
Kevin Karhan :verified:
@thatguyoverthere @BrodieOnLinux interesting...
Reminds me of the [long compromized by #Govware #Backdoors] RSA #SecurID #tokens...
Disinformation Purveyor :verified_think: likes this.
-
All 076萌SNS content and data are available under the