Comment by hobofan

1 day ago

> So you are ok with 2FA, right?

Yes. Are you not? It's one of the most effective measures to prevent a whole class of supply chain attacks. On Github the 2FA is also flexible enough to allow non-hardware passkeys, so you can choose a privacy preserving option with good UX.

1 comment

hobofan

Reply
Spunkie  17 hours ago

Last I looked a couple of years ago, GitHub 2fa has a lot of shoddy gotchas actually. There are a handful of GH issues on it with tons of comments.

For example it was impossible to remove/delete a phone number 2fa, even if you registered multiple other 2fa sources like security keys.