[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Paul Moore p.f.moore at gmail.com
Mon Dec 11 16:37:20 EST 2017

On 11 December 2017 at 20:15, Julien Palard via python-committers
<python-committers at python.org> wrote:
> Antoine Pitrou <antoine at python.org>:
>> A random piece of paper in my wallet may not have an extremely long
>> lifetime (paper is fragile).  And one piece of paper might be ok, but
>> what if I need one for every 2FA-enabled Web site?
> It's a legitimate question, so I'm taking mine out right now to check.

Here's a question (disclaimer: I'm *not* saying I disagree with 2FA,
or strong security, or anything like that, I'm genuinely curious about
the usability trade-offs based on my experience). I have a piece of
paper with some Google account recovery keys on it. I think it's in my
wallet (it was last time I looked but that's literally years ago). So,
what if I've lost it? As I understand it, if I lose my access for any
reason (phone broke irrecoverably is the example that happened to me a
few months ago), I need those keys to get access, but I don't know any
longer if I have them. And if I don't, I'm screwed. So surely there's
an additional requirement that I keep track of my recovery keys, so I
*know* if they get lost?

Password/identity management is a *huge* burden in these days of every
website under the sun needing a unique login. Even just classifying
your accounts as "critical", "important", "useful", "minor" and
"throwaway" takes significant effort. Password managers are basically
the only scalable solution I know of, and they have their own problems
(online ones can be compromised themselves, personal ones don't always
work on all devices, and sharing the password database is a
non-trivial issue). I already need to know one thing (the password DB
passphrase) and have another (the DB itself). 2FA essentially adds a
third factor, not a second (yes, I know that's not precisely correct).

Anyway, I've said enough - you get my point. People should be allowed
to make their own judgments on risk vs usability. IMO, we should focus

1. If we grant core dev status, we should factor in whether we think
the prospective candidate understands the responsibility in terms of
security (I'd be surprised if anyone thought we didn't already do
2. Because we're on a shared infrastructure (github) we can't mandate
how developer accounts are configured without considering how that
affects a user's *other* activities [1].


[1] I can expand on this, but it's somewhat off-topic and also not
something I'd want to discuss on a public list, so ask me privately if
you're interested in my specific case.

More information about the python-committers mailing list