<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Mon, Dec 11, 2017 at 12:26 PM R. David Murray <<a href="mailto:rdmurray@bitdance.com">rdmurray@bitdance.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft <<a href="mailto:donald@stufft.io" target="_blank">donald@stufft.io</a>> wrote:<br>
><br>
> > On Dec 11, 2017, at 2:52 PM, R. David Murray <<a href="mailto:rdmurray@bitdance.com" target="_blank">rdmurray@bitdance.com</a>> wrote:<br>
> ><br>
> > If 2fa is required for contribution to CPython, I'll stop<br>
> > contributing.<br>
><br>
> I’m curious why? I have it on and 99% of the time you don’t even<br>
> notice because you’re already logged into GitHub and pushes/pulls<br>
> don’t require it.<br>
<br>
I had to use 2FA when working for a corporate client, and it was<br>
very annoying. The fact that pushes and pulls don't require it<br>
helps, but also makes it considerably less important.<br></blockquote><div> </div><div>Please Don't let <i>that</i> experience color your 2FA opinion. Not everyone $random_corp does a good job of it.</div><div><br></div><div>It does not have to be annoying. Github's and Google's are examples of 2FA done right that is not annoying (using U2F).</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">But I suppose that fundamentally I do not want my security tied to a<br>
possession.<br></blockquote><div><br></div><div><b>2FA doesn't need to be tied to a single possession.</b> You are not limited to a single second factor thing. You can have plentiful different two factor methods set up at once. This is normal. ex: A printed recovery code at the very least as a second second factor. Have multiple U2F USB tokens tied to your account? Yes. I do that all the time on all accounts.</div><div><br></div><div>Heck, a photo/scan/screenshot of backup one time codes stored as a public image somewhere with no password authentication for the world to see on an http server still counts. As laughable as that is, it is *still* much better than not having 2FA enabled at all. Because it isn't going to be an automated attack at that point.</div><div><br></div><div><i>Any</i> 2FA is much better than no 2FA.</div><div><br></div><div>When (not if) your login/password is compromised, it is rarely your own fault. But your account and all of your data can be gone in a heartbeat as soon as anyone or anything malicious chooses to make it so on whatever selection of accounts they choose to victimize. Often irrecoverably. With 2FA enabled, that is much less likely to happen to you.</div><div><br></div><div>Try it. You will remain happy.</div><div><br></div><div><div>I recommend the <a href="https://www.yubico.com/product/yubikey-neo/">https://www.yubico.com/product/yubikey-neo/</a> as a primary U2F token because it even works with Chrome on Android phones via NFC when you need to re-auth there. That is a more expensive one, there are $10-20 alternative vanilla U2F USB tokens. I have some of those as backups. The "nano" style keys that you just leave in the USB port of all computers you use regularly are also a nice solution. no need to find and pull out the key, it is just present in your computers (it requires a physical touch to prevent remote access).</div><div><br></div><div>Which 2FA methods to choose is an individual choice, but in my experience since the U2F keys came out, I'm less inclined to use any service that doesn't support them as all other solutions are a worse user experience for me.</div><div><br></div><div>IMNSHO, the PSF <i>should</i> be able to buy one or two U2F tokens for any committer who needs them. This should not depend on a policy of 2FA use, it would just be a way to promote good security practices among committers to make us all better off.</div></div><div><br></div><div>-Greg</div></div></div>