"GitHub noreply@github.com

Fri, Dec 13, 7:12 PM (12 hours ago)

to me

Hey [redacted]!

We're reaching out to let you know that, as announced last year, we have officially begun requiring users who contribute code on GitHub.com to have two-factor authentication (2FA) enabled.

Your account meets this criteria, and you will need to enroll in 2FA within 45 days, by January 27th, 2025 at 00:00 (UTC). After this date, your access to GitHub.com will be limited until you enroll in 2FA. Enrolling is easy, and we support several options, starting with TOTP apps and text messages (SMS) and then adding on passkeys and the GitHub Mobile app."

Fucking GitHub.

It's not 2FA.

2FA is two factors.

A username and a passphrase are already two factors!

Also see: Citadel BBSes, where they only asked for a passphrase (one factor authentication).

Well, unless SysOps turned on "paranoid mode" which then prompted for a username and a passphrase, thus: TWO factor authentication.

Whatever bull it.sh GitHub is on about again is MFA (Multi-Factor Authentication) but they're too fucking stupid to use the correct terminology and since they were bought by Micro$oft they're never going to get smarter, only dumber.

I remember dealing with something similar from them a year or two ago?

I enumerated, I think as many as six, possibly seven different authentication factors?

As it stands:

1. username
2. passphrase
3. often (but not always) when attempting to login from a different IP/browser/whathaveyou it will send a "Verification Code" to the associated email address (so at least three, but maybe 4 depending on how you count)
4. SSH keys. When I checkout/clone a repository/branch/fork and push changes, it prompts me for an SSH key.
5. My SSH keys are also passphrase protected.
6. Passkeys are an option (apparently, I feel as if since I am already using no fewer than 4-5 authentication factors, adding 6 is starting to get fucking idiotic).
7. TOTP options? (That requires like: an app or a physical dongle/token, and apps also require phones, so that's really more like 8)
8. SMS/text messages aka Phone numbers (which also require a phone and a subscription/service so maybe more like 9) Moreover, given that EVEN THE FBI is recommend people STOP USING TEXT MESSAGES? THIS HAS TO BE THE FUCKING STUPIDEST IDEA EVER!

What was wrong with just sending a verification code to an SMTP address during login attempts like you have already been doing for fucking years?

I hate GitHub.

If you don't hate GitHub, I think: maybe you aren't experienced enough to understand why anyone would hate them.

But great, now I have 45 days to jump through some more bull it.sh because GitHub is staffed by absolute morons apparently.

Or maybe GitHub has been replaced by an LLM which can't count above two? Maybe that would explain it and their absolutely atrocious demeaning of terminology when more accurate terminology has existed for an awfully long time already.

Of course, GitHub aren't the only morons to misuse the phrase 2FA when they should be using the phrase MFA; but I don't tend to encounter the other morons insisting I enable 2FA when I am already using at least 4 authentication factors in any given code modification with their shitty hosted proprietary DVCS.

#GitHub #2FA #MFA #MultiFactorAuthentication #GitHubCannotCount #SecurityTheater #Bullshit