repo-criteria-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Github and two-factor authentication

From: Greg Farough
Subject: Re: Github and two-factor authentication
Date: Wed, 18 May 2022 16:15:01 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) 
On Sun, May 08 2022, Richard Stallman <rms@gnu.org> wrote:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> https://it.slashdot.org/story/22/05/04/2028211/github-will-require-all-code-contributors-to-use-2fa
> says that Github will require two-fuctor authentication.
>
> That's not inherently bad, and in the absence of injustice it could be
> a good thing.  However, in practice it is seems often to be
> implemented by imposing a choice of injustice A, injustice B or
> injustice C.  For instance, requiring the user to run nonfree
> Javascript or other nonfree software.  Or requiring the user to have a
> mobile phone.
>
> Can people please see what methods GitHub allows, and whether any of
> them is acceptable?
>
> GitHub already gets a failing grade for requiring nonfree JS code to
> create an account.  According to my memory, it doesn't require nonfree
> JS code for usage once the account exists.  That's where this change
> could make GitHub quantitatively much worse.

As far as I can tell, they're going to allow people to use any program
implementing the TOTP (time-based one-time password) algorithm, which
is standardized. The nongnu.org program Oathtool is one of those
programs. <https://www.nongnu.org/oath-toolkit/>

It seems like you can pair whatever TOTP program you choose to your
GitHub account without using github.com and its nonfree JavaScript.
The situation might change when they actually start requiring
two-factor authentication, but it seems okay to me for right now.

(I refuse to have a GitHub account so couldn't test this directly, but
gathered it in a read through their documentation:
<https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github>)

-g

-- 
Greg Farough // Campaigns Manager
Free Software Foundation

Join the FSF and help us defend software freedom: https://my.fsf.org

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]