| ▲ | ryandrake 6 hours ago |
| These (for good reason) draconian policies are the reason I am still hesitant to embrace 2FA. I understand the significant improvement in your security posture, and I would not want someone not-me to be able to reset my credentials. But the failure mode is just too catastrophic. You lose one thing and you are shit out of luck. We need something better. I don't know what it would be. |
|
| ▲ | saint_yossarian 5 hours ago | parent | next [-] |
| You can use a TOTP authenticator with backup support (I use Aegis on Android, and less critical ones in Bitwarden), and backup your recovery codes. |
|
| ▲ | alwa 5 hours ago | parent | prev [-] |
| I for one would appreciate the option to put an ID on file ahead of time, at least for important stuff like this. I like digital-only accounts for play, but for work stuff with real-world consequence, I’d like to link it to a real-world identity system… Not unlike the signature cards banks used long ago, I guess. Sure, maybe somebody motivated could defraud the government into issuing them a replacement ID in my name. But that’s big boy crime, not a casual “bribe a retail employee to SIM swap” kind of undertaking. Sure, there are issues of access to government ID systems, and I know anything touching government names / “show me your papers” raises hackers’ hackles—I’m not saying require it, just that I’d choose it if it were a MFA option of last resort. |
| |
| ▲ | eterm 5 hours ago | parent | next [-] | | That's how you turn 2fa into single factor authentication ( The ID ). GitHub is such a large attack vector for the whole planet, that I understand their stance. GitHub support a "recovery code" more secure than government ID. Print it out, store on USB, store on QR, etc, and stick it in at least one secure safe. | |
| ▲ | nerdsniper 5 hours ago | parent | prev | next [-] | | The issue is less about having an ID on file, and more about verifying ID. In a world of excellent real-time deepfakes, how would GitHub verify ID at scale? A fake ID is pretty easy to create, along with a fake face for a video chat where you can hold up your fake ID. | | |
| ▲ | filearts 5 hours ago | parent [-] | | An idea might be to require a financially meaningful deposit to pursue an account recovery like this. The deposit would be forfeit if the identity verification failed. Though now that I write this, it creates a perverse incentive for a company to collect deposits and deny account recovery. |
| |
| ▲ | joshmn 5 hours ago | parent | prev [-] | | > I for one would appreciate the option to put an ID on file ahead of time, at least for important stuff like this. I'm at that point of agreement. I don't want to say "national SSO ID" because that can get really Orwellian obviously. Being able to put an ID on file is a reasonable ask. | | |
| ▲ | em-bee 5 hours ago | parent [-] | | a passport is orwellian? i don't really get this fear of government issued IDs. if your government is so bad that it will abuse IDs for surveillance, then your government is the problem, and not having a national ID is not going to protect you. | | |
| ▲ | xp84 an hour ago | parent [-] | | Someone explained this to me the other day in a way that helped me understand the concern better. Not already having a ton of easy and effective choke points on the whole citizenry (which such a card would eventually grow into due to its usefulness) is a safeguard against wannabe tyrants being confident they can crush dissent easily and thus to them seizing power in the first place. Just like I wouldn’t steal a car with a manual transmission because I know I wouldn’t be able to drive it successfully, and certainly not well enough to outrun the consequences. If I were a fascist I’d be a lot more brazen if I knew that I could switch off every dissenter’s ability to travel, work, or even buy food, in an instant. | | |
| ▲ | shermantanktop 5 minutes ago | parent [-] | | What if you were a fascist who exercised influence over Experian and TransUnion, the airlines, and of course the TSA? The horse has left the barn already. |
|
|
|
|
