Raising the bar for software security: GitHub 2FA begins March 13
github.blog
On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Read on to learn about what the process entails and how you can help secure the software supply chain with 2FA.

I personally am fine with this.

      • SkaveRat@discuss.tchncs.de
        0·
        1 year ago

        how would they track you?

        The reason they want a phone number is, that it’s a relatively cheap way to ensure people not signing up bots galore, as getting phone numbers en masse is a lot harder than getting email accounts

        • Otome-chan@kbin.social
          11·
          1 year ago

          phone numbers are typically tied to your name/identity, and phone companies can locate you using their towers and such. Giving a company your phone number is identical to giving a company your full legal name and address.

          • SkaveRat@discuss.tchncs.de
            1·
            1 year ago

            me giving, let’s say, twitch my phone number gives them exactly 0 ways of tracking me in any way whatsoever

            Source: worked for a mobile company

          • _number8_@lemmy.world
            11·
            1 year ago

            yeah, no idea why you’re getting downvoted, it’s clear why companies are so eagerly embracing and requiring 2FA – if the benefits were only for the consumers, it wouldn’t be mandated anywhere near this quickly. but when they know they get a real human phone tied to every account, that’s a huge motivation

  • Otome-chan@kbin.social
    11·
    1 year ago

    No offense to companies but I’m honestly sick of companies forcing 2fa. Every single one seems to have a different shitty way of doing it. Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)? Some do sms/phone number, but then yell at you and prevent you from doing 2fa if you have a “bad phone number”. This happened on discord where I’m locked out of certain servers because I can’t do phone verification, and I can’t do it because discord doesn’t like my phone number. Twitter was the same way for a long while (couldn’t do 2fa/phone verification due to them not liking my number).

    From the article it sounds like they’re doing authenticator app or sms. I’m guessing sms won’t work for me, so app it is. I decided to dig to see which authenticator app they use and they list: 1password, authy, lastpass, and microsoft… no google?

    Honestly, even email requirements for accounts is annoying because you know it just ends up spamming you. is the future where we’re gonna have to have 30 different authenticator apps on our phone?

    • SkaveRat@discuss.tchncs.de
      1·
      1 year ago

      Like why on earth do I need two different authenticator apps on my phone (authy&google authenticator)?

      you… don’t?

      Both of these implement exactly the same protocol (TOTP). Used authy for all my Top Of The Pops Time-based one-time password needs exclusively, before moving everything to bitwarden

    • library_napper@monyet.cc
      1·
      1 year ago

      Anyone who claims they’re doing OTPs over SMS for “security” ia lying to you. Discord wants your phone number; it has nothing to do with your security

      • Otome-chan@kbin.social
        1·
        1 year ago

        there’s quite a lot of services that want phone for verification/2fa/whatever. whenever I run into them I usually just refuse to use the service altogether.

  • Gamey@feddit.rocks
    01·
    1 year ago

    Good, people are fucking stupid and if it effects others it’s often better to choose the security for them!

    • NekuSoul@lemmy.nekusoul.de
      0·
      1 year ago

      Yup. I’m actually a bit baffled by how much negativity/misinformation there’s around 2FA even in a place like this, which should naturally have a more technically inclined userbase.

      • daYMAN007@feddit.de
        1·
        1 year ago

        Well negativity is there because every app wants it.

        I don’t care if account x is compronised, as it has absolutly no value

    • faerbit@feddit.de
      1·
      1 year ago

      Hard disagree. I do not want to have 2FA for every shittly little thing I do not care about.

    • sugar_in_your_tea@sh.itjust.works
      01·
      1 year ago

      Specifically app-based 2FA, ideally Google Authenticator based. There are tons of great authenticator apps available that are all compatible, so it should absolutely be preferred over SMS or email.