Hi,

On the "Security: please enable 2-factor authentication on GitHub and your email" thread that I started, I see many people afraid of being annoyed everyday by 2FA (2-factor authentication, called "Authentication code" in GitHub).

Let me explain how GitHub uses 2FA.

• Let's say that you are not logged on GitHub (or log out to test yourself).
• Log in GitHub: enter email and password, then you are asked for an "Authentication code".
• You're logged in, congrats :-)
• Close Firefox
• Open Firefox, go to GitHub: you are already logged in. No more password nor Authentication code asked.

Hum... that's it :-) I don't know how long the GitHub cookie remains valid, but it's very rare (maybe once per month? or once every 3 months??) for me to have to log in again. And usually, it's because I log out on purpose.

Ok, now you can to push a pull request using SSH:

• Step 1: git push (...)
• There is no step 2 :-)

There is no 2FA here. If I understood correctly, for HTTPS, there is no 2FA neither.

So where is the 2FA?

• New log in

The 2FA is not needed for:

• (If you are already logged in) Disabling 2FA doesn't require an authentication code. I just checked for you :-)
• Adding a new SSH key to your account only requires your password, but the authentication code is also accepted instead of the password

So what is the point of 2FA? It protects the log in. If an attacker has your password without the 2FA key, they are unable to log in.

From what I see, the 2FA doesn't protect against pushing commits if the attacker steal your SSH key or your HTTPS password. My understanding is that it's more common to get a password stolen than a SSH key. While you have to write the password regulary in web forms, GitHub only requires your SSH *public key* (only asked you, when adding a new key). The risk of leaking a SSH private key by mistake is much lower. For example, a browser doesn't ask you to store your SSH private key, only your password. For HTTPS: well, try to avoid HTTPS and prefer SSH? :-)

A few months ago, using a Yubikey is Firefox required a plugin. Good news: since Firefox 57 (or even Firefox 56), U2F support is now builtin! But it's still experimental and so disabled by default (it's a simple flag that has to be set to true in about:config):

https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/

Google has the same 2FA design. It stores a cookie and so once you are logged on your computer, the 2FA is no more used. There is a check box like "[x] Remember this computer" or something like that. The 2FA matters you someone tries to use your password on a different computer.

At work, I have a different experience with 2FA. It's much more stricter. I have to use my 2FA at least once a day, or more frequently depending on the services that I have to use. So yeah, I understand that some people who already suffer from that don't want to be annoyed on the Python project.

Victor