[python-committers] 2FA: only needed at the *first* GitHub login, not needed for commits

[Stefan Krah]

On Tue, Dec 12, 2017 at 10:42:56AM +0100, Victor Stinner wrote:
> Let me explain how GitHub uses 2FA.
> 
> * Let's say that you are not logged on GitHub (or log out to test yourself).
> * Log in GitHub: enter email and password, then you are asked for an
> "Authentication code".
> * You're logged in, congrats :-)
> * Close Firefox
> * Open Firefox, go to GitHub: you are already logged in. No more
> password nor Authentication code asked.

Well, my security model is different.

I have full disk encryption with a long passphrase.  I shut down the computer
when I leave, so I have to enter that passphrase several times a day.


I have an encrypted text file that contains per-website passwords, protected
by another long passphrase. I have to decrypt that file at least once after
booting.


Finally, due to the garbage that modern browsers store (run rsync and watch
what is accumulated even in a day), I clear all the history etc. when
Firefox is closed.


This means that I have to log in ***multiple times into GitHub per day***.



My GitHub password should be only on GitHub, so when there's a breach
GitHub is already pwned (which it has been in the past but the prevailing
doctrine does not permit to mention it, and if anyone dares to he is
ignored).


Given the snake oil history in crypto products (Crypto AG, RSA SecureID,
Infineon chips, closed source in YubiKey), quite franky MY security model
won't allow inserting such a product into an USB slot.



Stefan Krah