[python-committers] Security: please enable 2-factor authentication on GitHub and your email

Tue Dec 12 08:04:42 EST 2017

On 2017-12-12 02:17, Gregory P. Smith wrote:
> On Mon, Dec 11, 2017 at 12:26 PM R. David Murray <rdmurray at bitdance.com
> <mailto:rdmurray at bitdance.com>> wrote:
> 
>     On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft <donald at stufft.io
>     <mailto:donald at stufft.io>> wrote:
>     >
>     > > On Dec 11, 2017, at 2:52 PM, R. David Murray
>     <rdmurray at bitdance.com <mailto:rdmurray at bitdance.com>> wrote:
>     > >
>     > > If 2fa is required for contribution to CPython, I'll stop
>     > > contributing.
>     >
>     > I’m curious why? I have it on and 99% of the time you don’t even
>     > notice because you’re already logged into GitHub and pushes/pulls
>     > don’t require it.
> 
>     I had to use 2FA when working for a corporate client, and it was
>     very annoying.  The fact that pushes and pulls don't require it
>     helps, but also makes it considerably less important.
> 
>  
> Please Don't let /that/ experience color your 2FA opinion.  Not everyone
> $random_corp does a good job of it.
> 
> It does not have to be annoying.  Github's and Google's are examples of
> 2FA done right that is not annoying (using U2F).
> 
>     But I suppose that fundamentally I do not want my security tied to a
>     possession.
> 
> 
> *2FA doesn't need to be tied to a single possession.*  You are not
> limited to a single second factor thing.  You can have plentiful
> different two factor methods set up at once.  This is normal.  ex: A
> printed recovery code at the very least as a second second factor.  Have
> multiple U2F USB tokens tied to your account? Yes. I do that all the
> time on all accounts.
> 
> Heck, a photo/scan/screenshot of backup one time codes stored as a
> public image somewhere with no password authentication for the world to
> see on an http server still counts.  As laughable as that is, it is
> *still* much better than not having 2FA enabled at all.  Because it
> isn't going to be an automated attack at that point.
> 
> /Any/ 2FA is much better than no 2FA.
> 
> When (not if) your login/password is compromised, it is rarely your own
> fault. But your account and all of your data can be gone in a heartbeat
> as soon as anyone or anything malicious chooses to make it so on
> whatever selection of accounts they choose to victimize. Often
> irrecoverably. With 2FA enabled, that is much less likely to happen to you.
> 
> Try it. You will remain happy.
> 
> I recommend the https://www.yubico.com/product/yubikey-neo/ as a primary
> U2F token because it even works with Chrome on Android phones via NFC
> when you need to re-auth there.  That is a more expensive one, there are
> $10-20 alternative vanilla U2F USB tokens. I have some of those as
> backups. The "nano" style keys that you just leave in the USB port of
> all computers you use regularly are also a nice solution. no need to
> find and pull out the key, it is just present in your computers (it
> requires a physical touch to prevent remote access).
> 
> Which 2FA methods to choose is an individual choice, but in my
> experience since the U2F keys came out, I'm less inclined to use any
> service that doesn't support them as all other solutions are a worse
> user experience for me.
> 
> IMNSHO, the PSF /should/ be able to buy one or two U2F tokens for any
> committer who needs them.  This should not depend on a policy of 2FA
> use, it would just be a way to promote good security practices among
> committers  to make us all better off.

+1

If you don't the trust closed-source Yubico hardware, there is plenty of
other hardware out. https://www.nitrokey.com/ is good German engineering
with fully open-sourced hardware and software.

Adam has compiled a nice list of U2F and 2FA tokens, too.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Christian