I just received an email from Github that they are now ofically begin to require users who contribute code need to have 2FA enabled.

Why isn’t password + email already sufficient? Why do I need to use a third FA to satisfy their requirements? Is it reasonable to feel stumped or angry about it?

Would like to hear your thoughts about this.

  • RovingFox@infosec.pub
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    1 year ago

    If I were to steal someones phone in public I will assume they have at least a bank app and multiple apps with their card saved for easy buying. By the time they get access to another device or their banks I get enough time to do a lot of damage. I can also save some credentials for later access after the waters settle. I doubt my victim will go through each of their accounts and change passwords. Most users use a Gmail account which has multiple ways to get access back, and most users don’t know how to check them and disable what they use and not use. I can easy setup a sort of backdoor in their email and gather more important information.

    You never know what important information you might store in your Github account. You have a donation link in your description? Would be a pity if I would change that link to my personal bank account and just divert some fund back in your bank account to not raise suspicion.