It's honestly the most annoying 2FA process I have ever attempted on the internet.
It keeps refusing pointing me to some error page of the Recaptcha having failed, even when I clearly take my time to fill the 10 steps correctly.
When I pass, I for some reason blocks my ability to immediately receive a SMS code telling me to wait an hour.
Attempted it twice in intervals of more than 1 hour and it sucks.

At the end of the process, I still failed to get it right.
What the heck is the reason for 10 steps to verify that I am human?
And when I verify, why point me to some dumb ass error that I encountered an error during verification.

I dont have all day at github.com just to keep trying to verify. WTF

It could be a honeypot designed to identify anonymous users.

A side channel doesn't need to be more secure to be useful. In theory, the probability of both being compromised is the probability of one being compromised multiplied by the probability of the other being compromised. But since there's a single point of attack that would compromise both (your phone) there's less real benefit in this specific 2FA scheme.

I went abroad for 6 months 5 years ago
lost my phone abroad
came home and immediately ordered a new device (on a new contract... with a new number... better value for money)
cookies expired on my pc for facebook, google mail and microsoft
Facebook had 2FA using my microsoft email
Google had 2FA using authenticator
Microsoft had 2FA using my mobile number

never regained access to any of them
was using onedrive for photo storage, lost every file and photo i had from my childhood because of 2FA

IMHO 2FA is not worth the extra security except in highly sensitive systems (like your bank)

this whole idea that it should be on every service we use is utter nonsense, I didn't need it on any of those services, and i wish i could disable it on github

4th mail about "ACTION REQUIRED - SET 2FA" and yet, I FUCKING CAN'T BECAUSE YOUR SYSTEM IS BROKEN!!!! FUCK YOU MICROSOFT! FUCK YOU GITHUB!

tried today again, as every day.... today 24th september they fixed first error.

Still it fails at passkey... all I can use is password + SMS... and we know SMS is really weak factor of auth... so what is increased security here? Nothing. They don't care about security, they only want to know your phone number and more data, and have access to mobile device via their app.

I went abroad for 6 months 5 years ago lost my phone abroad came home and immediately ordered a new device (on a new contract... with a new number... better value for money) cookies expired on my pc for facebook, google mail and microsoft Facebook had 2FA using my microsoft email Google had 2FA using authenticator Microsoft had 2FA using my mobile number

never regained access to any of them was using onedrive for photo storage, lost every file and photo i had from my childhood because of 2FA

IMHO 2FA is not worth the extra security except in highly sensitive systems (like your bank)

this whole idea that it should be on every service we use is utter nonsense, I didn't need it on any of those services, and i wish i could disable it on github

I lost my OSRS account (LvL 32 thankfully) from formatting phone a while back, and that's when I realized 2FA is more of a threat than getting scammed.

I went abroad for 6 months 5 years ago lost my phone abroad came home and immediately ordered a new device (on a new contract... with a new number... better value for money) cookies expired on my pc for facebook, google mail and microsoft Facebook had 2FA using my microsoft email Google had 2FA using authenticator Microsoft had 2FA using my mobile number

never regained access to any of them was using onedrive for photo storage, lost every file and photo i had from my childhood because of 2FA

IMHO 2FA is not worth the extra security except in highly sensitive systems (like your bank)

this whole idea that it should be on every service we use is utter nonsense, I didn't need it on any of those services, and i wish i could disable it on github

Using cloud storage with no local backup for any critical file is just as dangerous as storing them on a single device using a single disk locally with or without 2FA. There are ways to lose access to the account even without 2FA. Computers storing data "in the cloud" (on someone else's computer) can fail just like yours. Usually backups are rather robust, but if corrupted files get to the backups too you may have problems. Cloud server and own computer can both be hacked. In both cases less likely with 2FA but not impossible and this comes with a side order of increased risk of being locked out.

The entire host could go out of business or change business models to something so unsavory (e.g Photobucket selling biometrics from face photos for AI) you must walk away from your files if there is too much there for one big download.

For files that do not create a security risk if accessed by worst-case third parties, the safe storage models are 1 local disk and one offsite cloud provider, two different cloud providers that never share the same data center (e.g the same Amazon AWS physical location), or two local disks one offline save when backup up or restoring from backups. One of these should be offsite if possible, that saved my ass once.

Thanks, I'll research it. Nice to have more options.

Yeah this is the last straw for me I think

I'd be fine with it if you had to use 2fa for select actions, like adding a key - but for my everyday log in, no thanks.

Gitlab is the same shit. I just tried registering and not only will they force you into 2fa too, they also ask for your credit card even for the free version.

@technik That was not my experience. I think this is FUD.

2FA is "security theater"

It is not more secure than a strong password.

It is better for micro$oft: easier to steal personal data from your mobile device.

install 2 possibly compromised pieces of software for security, no wonder everything gets hacked, I can manually trunk my source on my machine, for about the same space, and effort without adding 2 pieces of software with x amount of security holes each from the software or its depends

That is the thing, they don't even specify what will happen if you reject 2FA.

They write: "You will need to enable two-factor authentication on your account before October 12, 2023, or be restricted from account actions."

The use threatening language is an insult to the github to community.

I have not been able to find out what "be restricted from account actions" means. Github support is silent when asking for clarification.

@PiKeyAr I can confirm this, just got a response from github support, and the short version is that to login to your account on github.com after October 1, 2023, you must enable 2FA. So to delete your account, for example, you need to enable 2FA. Repositories will be left untouched, and pushing to repos will apparently still work.

It's more useless crap used to tie phones to people.

They hope to link online personas to real individuals because they can't stop scary hackers any other way, good point

They just want to invade privacy and sell data.

I have moved my repos to GitLab, worked very well to import them over, was easy!

How do we turn this into a formal protest?

Probably making a boycott organisation (wherein important maintainers could migrate their repos out of GitHub until demands are met), and also reaching out to GitHub employees or tech unions (I'm not sure if any are unionised) about potential strike action. In the current climate the latter is a stretch, but in a culture of regular striking and strong unions this kind of demand to protect customers/clients/broader society as well as workers used to be commonplace. GitHub employees have protested & resigned before regarding Palantir & ICE. Unfortunately according to this log of strike actions, and in keeping with the generally rightwing culture of IT/programming, the IT sector hasn't seen much industrial action in the last few years.

@howtophil I forked your No2FA project and modified the link to where I am migrating. I suggest others do the same.

Sounds like a good plan to me.

I entirely favor the strike. Real worst case: my MATE wayland work is developed privately, on my own machine, and the resulting source code is offered as patches against git master or against a release plus as patched tarballs on archive.org. I do not have a stable phone number-and I am subject to a conflicting security requirement for deniable ownership of phones and computers.

I am hoping I can stay on the MATE team, but I have to put the security of the my devices ahead of this, and may have to walk away from my account as I did from all the US email providers a decade ago.

@howtophil I forked your repo, goodbye github. before I go, let me leave you with a sendoff
https://www.youtube.com/watch?v=oEybvx6Fx8M

This isn't true, you can open a GH support ticket. 2FA being mandatory likely violates privacy laws such as GDPR as there is no option to have the associated data deleted in the 2FA settings so that alone is likely justification enough to make 2FA on by default with the option to turn it off as I suggested in my comment here.

look into something like bitwarden

I have all my authenticators in bitwarden's password vault

And you can have bitwarden as an extension on any chromium browser, no need for a smart phone

they do this so they can get more of your devices on record, to steal more of your data for resale. because apparently giving them code for free wasn't enough.

there aren't many places to go, there's like bitbucket and gitlab and those are literally the only ones I know of and i've never used either. I was hesitant to even start a github if i'm being honest and I'm now regretting it.

i haven't heard of this one before. it seems to be based in germany? that seems like it could become an issue.

There's a silver lining to MS using GH to train LLMs: most of the code on GH is so horrendous that the LLMs are complete trash as well. Ironically, the DEI epidemic is saving us from AI.