[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Stefan Krah stefan at bytereef.org
Mon Dec 11 07:57:05 EST 2017

On Mon, Dec 11, 2017 at 01:47:50PM +0100, Victor Stinner wrote:
> 2017-12-11 13:29 GMT+01:00 Stefan Krah <stefan at bytereef.org>:
> > Ssh isn't available everywhere, I don't want to install an app or give
> > out my phone number to half of Silicon Valley [1].
> SMS and FreeOTP are just a few options that you have to generate/get OTP.
> I suggest to use Yubikey. It doesn't need to install an app or to give
> your phone number, but it costs 50$. The advantage is that you can use
> it to store your SSH and GPG keys.

I'm not a fan of hardware key generation. :-)


"In October 2017, security researchers found a vulnerability (known as ROCA) in the implementation of RSA keypair generation in a cryptographic library used by a large number of Infineon security chips. The vulnerability allows an attacker to reconstruct the private key by using the public key.[18][19] All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability.[20] Yubico publicized a tool to check if a Yubikey is affected and replaces affected tokens for free.[21]"

More information about the python-committers mailing list