← Back to context

Comment by shevy-java

2 days ago

So you are ok with 2FA, right? If you contribute code there.

Now - what if you are not ok with it? What can you do?

> Almost offensively usable

I think you conflate two points here. One is how useable github is. The other is: control. At which point are you no longer ok with what a private company does? This is not solely about Microsoft alone by the way.

2 comments

shevy-java

Reply
hobofan  1 day ago

> So you are ok with 2FA, right?

Yes. Are you not? It's one of the most effective measures to prevent a whole class of supply chain attacks. On Github the 2FA is also flexible enough to allow non-hardware passkeys, so you can choose a privacy preserving option with good UX.

  • Spunkie  19 hours ago

    Last I looked a couple of years ago, GitHub 2fa has a lot of shoddy gotchas actually. There are a handful of GH issues on it with tons of comments.

    For example it was impossible to remove/delete a phone number 2fa, even if you registered multiple other 2fa sources like security keys.