[python-committers] Security: please enable 2-factor authentication on GitHub and your email
Christian Heimes
christian at cheimes.de
Tue Dec 12 08:04:42 EST 2017
On 2017-12-12 02:17, Gregory P. Smith wrote:
> On Mon, Dec 11, 2017 at 12:26 PM R. David Murray <rdmurray at bitdance.com
> <mailto:rdmurray at bitdance.com>> wrote:
>
> On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft <donald at stufft.io
> <mailto:donald at stufft.io>> wrote:
> >
> > > On Dec 11, 2017, at 2:52 PM, R. David Murray
> <rdmurray at bitdance.com <mailto:rdmurray at bitdance.com>> wrote:
> > >
> > > If 2fa is required for contribution to CPython, I'll stop
> > > contributing.
> >
> > I’m curious why? I have it on and 99% of the time you don’t even
> > notice because you’re already logged into GitHub and pushes/pulls
> > don’t require it.
>
> I had to use 2FA when working for a corporate client, and it was
> very annoying. The fact that pushes and pulls don't require it
> helps, but also makes it considerably less important.
>
>
> Please Don't let /that/ experience color your 2FA opinion. Not everyone
> $random_corp does a good job of it.
>
> It does not have to be annoying. Github's and Google's are examples of
> 2FA done right that is not annoying (using U2F).
>
> But I suppose that fundamentally I do not want my security tied to a
> possession.
>
>
> *2FA doesn't need to be tied to a single possession.* You are not
> limited to a single second factor thing. You can have plentiful
> different two factor methods set up at once. This is normal. ex: A
> printed recovery code at the very least as a second second factor. Have
> multiple U2F USB tokens tied to your account? Yes. I do that all the
> time on all accounts.
>
> Heck, a photo/scan/screenshot of backup one time codes stored as a
> public image somewhere with no password authentication for the world to
> see on an http server still counts. As laughable as that is, it is
> *still* much better than not having 2FA enabled at all. Because it
> isn't going to be an automated attack at that point.
>
> /Any/ 2FA is much better than no 2FA.
>
> When (not if) your login/password is compromised, it is rarely your own
> fault. But your account and all of your data can be gone in a heartbeat
> as soon as anyone or anything malicious chooses to make it so on
> whatever selection of accounts they choose to victimize. Often
> irrecoverably. With 2FA enabled, that is much less likely to happen to you.
>
> Try it. You will remain happy.
>
> I recommend the https://www.yubico.com/product/yubikey-neo/ as a primary
> U2F token because it even works with Chrome on Android phones via NFC
> when you need to re-auth there. That is a more expensive one, there are
> $10-20 alternative vanilla U2F USB tokens. I have some of those as
> backups. The "nano" style keys that you just leave in the USB port of
> all computers you use regularly are also a nice solution. no need to
> find and pull out the key, it is just present in your computers (it
> requires a physical touch to prevent remote access).
>
> Which 2FA methods to choose is an individual choice, but in my
> experience since the U2F keys came out, I'm less inclined to use any
> service that doesn't support them as all other solutions are a worse
> user experience for me.
>
> IMNSHO, the PSF /should/ be able to buy one or two U2F tokens for any
> committer who needs them. This should not depend on a policy of 2FA
> use, it would just be a way to promote good security practices among
> committers to make us all better off.
+1
If you don't the trust closed-source Yubico hardware, there is plenty of
other hardware out. https://www.nitrokey.com/ is good German engineering
with fully open-sourced hardware and software.
Adam has compiled a nice list of U2F and 2FA tokens, too.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html
Christian
More information about the python-committers
mailing list