[python-committers] Security: please enable 2-factor authentication on GitHub and your email
victor.stinner at gmail.com
Mon Dec 11 08:29:08 EST 2017
2017-12-11 14:07 GMT+01:00 Antoine Pitrou <antoine at python.org>:
> If I have my 2FA key on a regular computer (the same that runs my
> password manager), is it still 2FA?
It's still more secure than password only. If your password is leaked
by any mean, the 2FA still keeps you safe.
>From my point of view, the risk of password leak is much higher than a
compromise of your machine to steal your 2FA key. Passwords are
usually handled as text, you may paste it in the wrong field of a web
form, pass it as clear text (HTTP) by mistake, etc. 2FA key usually
use OTP: leaking an OTP is not an issue, since it's invalidated as
soon as you use it. The time window to hack your account is much
It's not only a matter of 1-factor vs 2-factor, it's also the design
of OTP which is more secure than passwords.
It's always a matter of compromise between usability vs security.
More information about the python-committers