[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Victor Stinner victor.stinner at gmail.com
Mon Dec 11 08:29:08 EST 2017


2017-12-11 14:07 GMT+01:00 Antoine Pitrou <antoine at python.org>:
> If I have my 2FA key on a regular computer (the same that runs my
> password manager), is it still 2FA?

It's still more secure than password only. If your password is leaked
by any mean, the 2FA still keeps you safe.

>From my point of view, the risk of password leak is much higher than a
compromise of your machine to steal your 2FA key. Passwords are
usually handled as text, you may paste it in the wrong field of a web
form, pass it as clear text (HTTP) by mistake, etc. 2FA key usually
use OTP: leaking an OTP is not an issue, since it's invalidated as
soon as you use it. The time window to hack your account is much
shorter.

It's not only a matter of 1-factor vs 2-factor, it's also the design
of OTP which is more secure than passwords.

It's always a matter of compromise between usability vs security.

Victor


More information about the python-committers mailing list