On Jun 14, 2021, at 5:02 PM, Tim Peters <tim.peters@gmail.com> wrote:

[Brett]

...

... Please make sure you have a unique password for your GitHub account and that you have 2FA/MFA turned on (I honestly think we should start requiring this ...

I use 2FA on sites that cater to my reality ;-) That is, I don't have a smartphone, or a cell phone of any kind, or any device capable of scanning QR codes, or, as far as I know, capable of receiving SMS msgs (unless there's some way of tricking a desktop PC into doing so).

In its infinite wisdom, the US Social Security system started requiring stuff like the above for recipients to log in to their SS web accounts. Which was a disaster. While they should have known this in advance, I'm not the only US senior content to live with a desktop PC and a landline ;-)

SS soon changed to send a "security code" to your account's registered email address instead. That works fine. Several other sites do the same. My bank has an automated system that calls my (landline) phone number, and a computer-generated voice tells me a one-time security code for me to type in. Also fine.

But reading the Github 2FA docs, they don't _appear_ to offer any method I could use. Things "I have" are a desktop PC, an email address, and a landline phone number. That's it.

---

You can a Yubikey for like $15? or so and use that for best in class 2fa.

You can also get an app for your desktop PC that can do TOTP codes (1Password has it built in, I’ve never used any of these applications though).

On Jun 14, 2021, at 5:27 PM, Tim Peters <tim.peters@gmail.com> wrote:

[Donald Stufft <donald@stufft.io>]

...

You can a Yubikey for like $15? or so and use that for best in class 2fa.

You can also get an app for your desktop PC that can do TOTP codes (1Password has it built in, I’ve never used any of these applications though).

Thanks! Alas, it's all utter gibberish to me. I'm going to ignore this until GIthub refuses to talk to me ;-)

Their docs say "After you configure 2FA using a mobile app or via text message ...", neither of which I can do. If "Yubikey" requires some other kind of setup. their docs don't mention it.

The desktop apps I spoke of work instead of a Mobile app.

I’ve never used these, but some googling suggests

https://www.microsoft.com/en-us/p/2-factor-authenticator/9nblggh5k7jn?active... <https://www.microsoft.com/en-us/p/2-factor-authenticator/9nblggh5k7jn?active...>

Or

https://www.microsoft.com/en-us/p/winotp-authenticator/9nf2rgqkx1mv?activeta... <https://www.microsoft.com/en-us/p/winotp-authenticator/9nf2rgqkx1mv?activeta...>

Might work if you’re on windows.

There’s some for every OS though.

yubico.com lists a ballfing variety of devices, from $24.50 to $90.00. If I buy one and plug it in, and that's the end of it, fine by me - happy to eat the cost. But I'm not keen to waste time wrestling with anything :-(

Sorry, the standard is called webauthn (or sometimes FIDO or U2F), and yubikey is just the biggest supplier of them. Some information here:

https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/ <https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/>

I guess they’re more expensive than I last remembered them being. It’s been a few years since I bought mine (or I got it on sale, I don’t remember’j. There’s a review of some of the security keys available at

https://www.theverge.com/2019/2/22/18235173/the-best-hardware-security-keys-... <https://www.theverge.com/2019/2/22/18235173/the-best-hardware-security-keys-...>

Or if you like wire cutter:

https://www.nytimes.com/wirecutter/reviews/best-security-keys/ <https://www.nytimes.com/wirecutter/reviews/best-security-keys/>

On Wed, 16 Jun 2021 at 06:15, Julien Palard via python-committers <python-committers@python.org> wrote:

I do use a Yubikey too.

I'm not particularly bothered by the debate over 2FA (I have a 2FA app on my phone that I use and that's sufficient) but I'd like to offer a counter argument to everyone saying Yubikeys are a straightforward solution (not particularly picking on you, Julien, a few people have suggested this option). Maybe they are for a lot of people, but I have 3 PCs, a tablet and a phone that I routinely use for github access. At least one is critically short of USB ports from all of the other junk I have plugged in.

I checked the Yubikey website and their recommendation (based on my answers to their questions about how I would use them) was to buy *three* keys, each of which was priced at about €40-50. That's a lot of money¹. And there was some comment about not working completely seamlessly with my iPad, which worried me, as well. And even with 3 keys, that's still going to mean swapping keys as I have more than 3 devices...

So while I support the idea of having 2FA (I spotted a suspicious attempt to log into my account that failed, like Brett, so there's definitely a need) I don't think we should assume any particular solution will work universally - and finding a working solution might be hard for some people (for a long time, I didn't use a smartphone regularly, and none of the available 2FA solutions really worked for me). It sounds like a Yubikey might be a reasonable solution for Tim, but only he can say that for sure, and we should avoid letting our enthusiasm for our own preferred solution blind us to the fact that it might not suit everyone.

(Sorry - some battle scars showing there, I've had rather too many people tell me to get a Yubikey when it really doesn't work for me. It soured me on 2FA for quite some time, until I found a solution that suited me...)

Paul

¹ Yes, I know it's way less than I spent on all those PCs!!!

On 16/06/2021 07.14, Julien Palard via python-committers wrote:

I do use a Yubikey too.

Le 6/14/21 à 11:27 PM, Tim Peters a écrit :

...

If I buy one and plug it in, and that's the end of it, fine by me

That's almost as simple as you want:

• In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action).

• Then every time you login your key blinks and you have to touch it to allow this action.

And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example). It also works on pypi.org \o/.

If the PSF is willing to help financially, I'd recommend everyone to buy (and register) two keys: a primary key and a backup key in case you loose or break the first one.

Most sites with MFA support have backup/recovery codes, too. I recommend that you generate backup codes, print them out and store the printout with your important documents. It's low tech and safe.

Christian

On 16/06/2021 10.50, Antoine Pitrou wrote:

Le 16/06/2021 à 10:33, Christian Heimes a écrit :

...

On 16/06/2021 07.14, Julien Palard via python-committers wrote:

...

I do use a Yubikey too.

Le 6/14/21 à 11:27 PM, Tim Peters a écrit :

...

If I buy one and plug it in, and that's the end of it, fine by me

That's almost as simple as you want:

• In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action).

• Then every time you login your key blinks and you have to touch it to allow this action.

And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example). It also works on pypi.org \o/.

If the PSF is willing to help financially, I'd recommend everyone to buy (and register) two keys: a primary key and a backup key in case you loose or break the first one.

Most sites with MFA support have backup/recovery codes, too. I recommend that you generate backup codes, print them out and store the printout with your important documents. It's low tech and safe.

It's as reliable as printing passwords on a piece of paper, isn't it?

No, recovery codes on paper are much more secure than printing passwords on paper.

Passwords give an attacker immediate access to your account.

Recovery codes only contain one-time use second factors. They are useless without the first factor (password). You keep recovery codes at home, too. An attacker would need to get access to your first factor and then break into your apartment to locate and steal your second factor.

Christian

Le 16/06/2021 à 07:14, Julien Palard via python-committers a écrit :

I do use a Yubikey too.

Le 6/14/21 à 11:27 PM, Tim Peters a écrit :

...

If I buy one and plug it in, and that's the end of it, fine by me

That's almost as simple as you want:

• In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action).

• Then every time you login your key blinks and you have to touch it to allow this action.

And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example).

For the record, U2F has never worked for me with Firefox on Ubuntu. It works with the Firefox binaries provided by Mozilla, though

Regards

Antoine.

Just for interest, I noticed a failed login attempt to my Github account about two hours ago, originating in Toronto.

That's the first fishy thing Github's security log ever showed for my account.

I do have 2FA enabled there now, so I'm not worried.

Coincidence? About a week after I enabled 2FA for my Microsoft account, that _also_ notified me for the very first time of a failed login attempt.

Maybe the NSA tracks when people enable 2FA, and after about a week gets around to making sure they can still break in ;-)

On 6/14/2021 5:06 PM, Donald Stufft wrote:

On Amazon, Yubikey is $45-55 for 3 kinds of interfaces. One must buy the right one. And then configure with each remote account. Picture show usb-c keys plugged into laptops. but desktops and monitors with usb have standard usb-2/3 ports. Fido NFC usb-a mobile device key is $25.

I use a mobile device to store TOTP tokens (one time use passcodes), but as I also wish to use my workstation device to generate these tokens, I’ve historically used a tool called oathtool<https://www.nongnu.org/oath-toolkit/> to generate these one time tokens (from a stored secret), but due to portability issues with the tool, I ended up porting it to Python. Now with keyring<https://pypi.org/project/keyring/> and oathtool<https://pypi.org/project/oathtool/> and jaraco.clipboard<https://pypi.org/project/jaraco.clipboard/>, I’m able to (a) store the Github-generated key in a secure location, (b) generate tokens from the command line, and (c) copy them to the clipboard for easy pasting into a form (independent of platform). Since I use xonsh for my shell, I’m able to readily create aliases for each of the sites I use thus:

def get_oath(system, user):
code = keyring.get_password(system, user).replace(' ', '')
otp = $(oathtool @(code)).rstrip()
jaraco.clipboard.copy(otp)


def add_mfa(alias, system, user):
aliases[alias] = functools.partial(get_oath, system, user)

add_mfa('github-mfa', 'GitHub MFA', 'jaraco')

Now, when I type github-mfa in my shell, keyring retrieves the key from a secure storage, oathtool converts that to a valid one time passcode, and then jaraco.clipboard puts that on the clipboard, all using nothing but Python and a few libs.

The workflow may not be the best for you, and is probably not quite as secure as a hardware token like Yubikey, but as long as the password store is kept as secure as the hardware token, it’s comparable, and a fair deal more secure than with a password and does supply a second factor. I welcome others to copy all or part of the approach.

On 14 Jun, 2021, at 18:29, Terry Reedy <tjreedy@udel.edu<mailto:tjreedy@udel.edu>> wrote:

On 6/14/2021 3:38 PM, Brett Cannon wrote: I have discovered someone tried to break into my GitHub account (you can check yourself by going to https://github.com/settings/security-log <https://github.com/settings/security-log> and looking for "failed to login" attempts for potentially odd geographical locations for yourself).

I checked and the only logins are me, at home, with the same IP address. (I realize that this could change.) My only development system is on my desktop, so github *could* let me check a box to use the location as a quasi 2nd factor. If the IP address changes, they *could* immediately email (if requested).

TJR

python-committers mailing list -- python-committers@python.org<mailto:python-committers@python.org> To unsubscribe send an email to python-committers-leave@python.org<mailto:python-committers-leave@python.org> https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/I... Code of Conduct: https://www.python.org/psf/codeofconduct/

On Tue, Jun 15, 2021 at 2:08 PM Mariatta <mariatta@python.org> wrote:

Thanks for sharing your experience, and I think it's important for us core developers to be careful and vigilant about this.

Work picked up hardware fobs from Deepnet Security for a lower price. We paid about $16 apiece for 20, but had to go through their "request a quote" web form. Something like that should work fine for anyone who doesn't want to use a smartphone or bind it to their password manager. (After all, it wouldn't really be 2FA if your password manager provided both factors!)

-Fred

-- Fred L. Drake, Jr. <fred at fdrake.net> "There is nothing more uncommon than common sense." --Frank Lloyd Wright