[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Julien Palard julien at palard.fr
Mon Dec 11 15:15:50 EST 2017

Antoine Pitrou <antoine at python.org>: 
> A random piece of paper in my wallet may not have an extremely long
> lifetime (paper is fragile).  And one piece of paper might be ok, but
> what if I need one for every 2FA-enabled Web site?

It's a legitimate question, so I'm taking mine out right now to check.

I use a single folded paper of like 20cm×10cm, so folded twice it take
less than a standard card, and it's in a good shape
as it's stored in a flat compartment of my wallet (I'm having
it since like 6 months, I do not remember the "bad shape" of my previous
one when I changed it).

I'm currently having 7 sevices on it, with 6 codes for each of them,
there's still room for 4 services if I dont start using both sides.
It's handwritten as I didn't had a printer at that time (yes, it's a PITA
to write them all, I now have a printer and try with it next time).

So from my point of view it's totally OK to store them as a folded sheet of
paper in a wallet, as long as you can print and cut them: I agree, handwriting
them is really something I would not recommend. Also, renewing all codes
(if your wallet get stolen) take a huge amount of time if you have codes for,
say more than 5 sevices, it's something to consider, but does not happen often.

While I'm at it, applications like Google Authenticator does *not* display favicon
or whatever, just the name of the service, it starts to be annoying up to 10
registered services (almost two screen long of OTP being generated).

Also, I consider receiving OTP over SMS a bad solution: you may not
receive them in some places or some countries besides being relatively easy
to intercept (by someone really wanting them, they could just buy a big wrench for $10
at this point).

Julien Palard

More information about the python-committers mailing list