You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to discuss the weaknesses in using this 2FA policy, and to manifest cons against it. First, logging-in into a GitHub account should be independent from other resources, such as counting with SMS and phones, or counting on emails accounts, or even worse dependent on 3rd applications! Login-in should be simple, fast, direct. This new policy increases the time to log-in, increases the dependence on the availability of other networks, creates an unnecessary dependence on 3rd parties' applications, and increases the dependence on phones and additional email accounts. What if your phone is off or its network is unavailable? What if you other email supplier is down? (by the way, these are increasingly common problems in times of climate disruption!) How should security increase once exposed to such restrictions? It won't. 2FA implementation based on these dependencies are not to increase security as much as you would expect, but it will for sure increase the time-to-login, and make the log-in process more fragile (if not impossible at all) because it will require other networks/apps/phones to complete the task of logging-in. If you observe with attention, when one increases the dependence on 3rd-actors, the security decreases. Dependence on additional things make your business more fragile and less self-sufficient. In addition, you are increasing the complexity of the login-in process: increased complexity is not a confident path to increase security, in fact it is more likely to decrease security. I migrated to GitHub for several reasons, as many software developers, and one of them was the simplicity and direct access to information, advantages that you are demolishing from now on by adopting these enforced policies. If NOT-IMPOSED, but OPTIONAL, that would be nice! Please consider that these new security policies are more a fashion-stuff than a real solution. This "security thing" has become more of a psychologic pathology than a real need. I would bet that you guys don't experience such a great amount of "security leaks" to justify adopting this increased level of exposure to 3rd parties' networks/apps/phones/etc. I hope to be contributing to the discussion with a more adult point of view, facing the illusory teenage fascination for security.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
GitHub Community
-
Select Topic Area
General
Body
I would like to discuss the weaknesses in using this 2FA policy, and to manifest cons against it. First, logging-in into a GitHub account should be independent from other resources, such as counting with SMS and phones, or counting on emails accounts, or even worse dependent on 3rd applications! Login-in should be simple, fast, direct. This new policy increases the time to log-in, increases the dependence on the availability of other networks, creates an unnecessary dependence on 3rd parties' applications, and increases the dependence on phones and additional email accounts. What if your phone is off or its network is unavailable? What if you other email supplier is down? (by the way, these are increasingly common problems in times of climate disruption!) How should security increase once exposed to such restrictions? It won't. 2FA implementation based on these dependencies are not to increase security as much as you would expect, but it will for sure increase the time-to-login, and make the log-in process more fragile (if not impossible at all) because it will require other networks/apps/phones to complete the task of logging-in. If you observe with attention, when one increases the dependence on 3rd-actors, the security decreases. Dependence on additional things make your business more fragile and less self-sufficient. In addition, you are increasing the complexity of the login-in process: increased complexity is not a confident path to increase security, in fact it is more likely to decrease security. I migrated to GitHub for several reasons, as many software developers, and one of them was the simplicity and direct access to information, advantages that you are demolishing from now on by adopting these enforced policies. If NOT-IMPOSED, but OPTIONAL, that would be nice! Please consider that these new security policies are more a fashion-stuff than a real solution. This "security thing" has become more of a psychologic pathology than a real need. I would bet that you guys don't experience such a great amount of "security leaks" to justify adopting this increased level of exposure to 3rd parties' networks/apps/phones/etc. I hope to be contributing to the discussion with a more adult point of view, facing the illusory teenage fascination for security.
Beta Was this translation helpful? Give feedback.
All reactions