[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Donald Stufft donald at stufft.io
Mon Dec 11 13:03:32 EST 2017

> On Dec 11, 2017, at 9:35 AM, Paul Moore <p.f.moore at gmail.com> wrote:
> Maybe I didn't understand it. Doesn't that leave me in precisely the
> same situation as a username/password, in that I have a single set of
> credentials I can use? Or is the fact that it's tied to the specific
> machine the point here? If so, then thanks, I can certainly use that
> should someone decide that mandating 2FA is a good idea (I still
> maintain that recommended but not mandatory is better, as my GH
> account is not used solely for CPython development, so making such a
> change has wider effects than just for this project).

It is true that this weakens the guarantees of 2fa (as does allowing authentication using a SSH key!). In general this trade off is worth it because the authority granted by those credentials is limited (in this case, I believe you can only push/pull with them, you can’t do anything else on the account) and they’re typically only used in contexts where leaking the credential is far far harder. As a bonus, they’re not going to be shared between multiple services.

So yea, it’s not as good as 2FA only everywhere, but the specific circumstances around these specific credentials makes it a reasonable usability trade off to allow them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20171211/3150a8ab/attachment.html>

More information about the python-committers mailing list