[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Gregory P. Smith greg at krypto.org
Mon Dec 11 20:17:50 EST 2017

On Mon, Dec 11, 2017 at 12:26 PM R. David Murray <rdmurray at bitdance.com>

> On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft <donald at stufft.io>
> wrote:
> >
> > > On Dec 11, 2017, at 2:52 PM, R. David Murray <rdmurray at bitdance.com>
> wrote:
> > >
> > > If 2fa is required for contribution to CPython, I'll stop
> > > contributing.
> >
> > I’m curious why? I have it on and 99% of the time you don’t even
> > notice because you’re already logged into GitHub and pushes/pulls
> > don’t require it.
> I had to use 2FA when working for a corporate client, and it was
> very annoying.  The fact that pushes and pulls don't require it
> helps, but also makes it considerably less important.

Please Don't let *that* experience color your 2FA opinion.  Not everyone
$random_corp does a good job of it.

It does not have to be annoying.  Github's and Google's are examples of 2FA
done right that is not annoying (using U2F).

But I suppose that fundamentally I do not want my security tied to a
> possession.

*2FA doesn't need to be tied to a single possession.*  You are not limited
to a single second factor thing.  You can have plentiful different two
factor methods set up at once.  This is normal.  ex: A printed recovery
code at the very least as a second second factor.  Have multiple U2F USB
tokens tied to your account? Yes. I do that all the time on all accounts.

Heck, a photo/scan/screenshot of backup one time codes stored as a public
image somewhere with no password authentication for the world to see on an
http server still counts.  As laughable as that is, it is *still* much
better than not having 2FA enabled at all.  Because it isn't going to be an
automated attack at that point.

*Any* 2FA is much better than no 2FA.

When (not if) your login/password is compromised, it is rarely your own
fault. But your account and all of your data can be gone in a heartbeat as
soon as anyone or anything malicious chooses to make it so on whatever
selection of accounts they choose to victimize. Often irrecoverably. With
2FA enabled, that is much less likely to happen to you.

Try it. You will remain happy.

I recommend the https://www.yubico.com/product/yubikey-neo/ as a primary
U2F token because it even works with Chrome on Android phones via NFC when
you need to re-auth there.  That is a more expensive one, there are $10-20
alternative vanilla U2F USB tokens. I have some of those as backups. The
"nano" style keys that you just leave in the USB port of all computers you
use regularly are also a nice solution. no need to find and pull out the
key, it is just present in your computers (it requires a physical touch to
prevent remote access).

Which 2FA methods to choose is an individual choice, but in my experience
since the U2F keys came out, I'm less inclined to use any service that
doesn't support them as all other solutions are a worse user experience for

IMNSHO, the PSF *should* be able to buy one or two U2F tokens for any
committer who needs them.  This should not depend on a policy of 2FA use,
it would just be a way to promote good security practices among committers
to make us all better off.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20171212/f55199fd/attachment.html>

More information about the python-committers mailing list