[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Alex Gaynor alex.gaynor at gmail.com
Mon Dec 11 08:00:37 EST 2017


It's possible to generate a key on a regular computer and transfer it to a
YubiKey if you prefer. (It's not like software key generation has been
flawless either; [OpenSSL/Debian fiasco]. Oh well, such is life).

Even if you're not going to put your SSH keys on a YubiKey, I _strongly_
encourage folks to get a Security Key (aka U2F device), of which YubiKeys
are one brand, and use it for 2FA with Google/Github/Facebook/etc. In
addition to (IMO) being more usable than Google Authenticator, Security
Keys are resistant to phishing, which is a huge win.

Alex

On Mon, Dec 11, 2017 at 7:57 AM, Stefan Krah <stefan at bytereef.org> wrote:

> On Mon, Dec 11, 2017 at 01:47:50PM +0100, Victor Stinner wrote:
> > 2017-12-11 13:29 GMT+01:00 Stefan Krah <stefan at bytereef.org>:
> > > Ssh isn't available everywhere, I don't want to install an app or give
> > > out my phone number to half of Silicon Valley [1].
> >
> > SMS and FreeOTP are just a few options that you have to generate/get OTP.
> >
> > I suggest to use Yubikey. It doesn't need to install an app or to give
> > your phone number, but it costs 50$. The advantage is that you can use
> > it to store your SSH and GPG keys.
>
>
> I'm not a fan of hardware key generation. :-)
>
>
> https://en.wikipedia.org/wiki/YubiKey
>
> "In October 2017, security researchers found a vulnerability (known as
> ROCA) in the implementation of RSA keypair generation in a cryptographic
> library used by a large number of Infineon security chips. The
> vulnerability allows an attacker to reconstruct the private key by using
> the public key.[18][19] All YubiKey 4, YubiKey 4C, and YubiKey 4 nano
> within the revisions 4.2.6 to 4.3.4 are affected by this vulnerability.[20]
> Yubico publicized a tool to check if a Yubikey is affected and replaces
> affected tokens for free.[21]"
>
>
>
>
> _______________________________________________
> python-committers mailing list
> python-committers at python.org
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20171211/a46cf815/attachment.html>


More information about the python-committers mailing list