Let Us Use Email For 2FA

[kuroodo]

I do not want to use my phone, an app, or my computer for 2FA. If anything happens to my phone or computer, I'm screwed. If anything happens to my backup keys/codes, I'm extra screwed. If someone gains access to either, I'm turbo screwed. Don't get me started on how easy it would be to gain access through mobile too, since all someone would need is my 4 digit unlock code.

If I have the authenticator on my computer, travel and decide to use another device to access my account: if I didn't also install the authentication app on this device nor brought my backup codes with me, I'm screwed. Email on the other hand can be used everywhere.

The majority of online services use email for 2FA, where a code is sent to your email. This is not only convenient, but just as secure for the most common email providers.

For example if someone wants to gain access to my email account, aside from having to figure out my email and password, they would have to go through a rigorous multi-step authentication check to make sure it's actually me. I would also receive notifications to my various devices, as well as to my recovery emails.

Please allow us to use email as 2FA. It's only fair since you're forcing us to do this.

[Kitteh6660]

Yes, this is a good solution. I really NEED this, as my phone died last week and I am scared that if it happens, I would be completely locked out of Github account.

[supervisitor]

Stand firm... but you should take a closer look at the alternatives now if you don't have any experience with them yet. I am also already in the process of clearing my account. (unlike, unstar, un..., delete all) 😉

[kuroodo]

I've already migrated all of my stuff to Gitlab. Was very straightforward and simple.
I think I'm going to also cancel my copilot subscription as well. Gitlab has their own AI code assistant tool as well.

[supervisitor]

Most and all important I host by myself, all other is now at Codeberg. Have fun and keep up the good work.

[supervisitor]

... one more:

=>> you should open a ticket for official support!

this is the one and only way they/GitHub/MS recognise the opinion of the user base.

[kuroodo]

I actually contacted support on the 28th of August. They replied to me on the 31st and to summarize what they said, they argued that

But if email is a 2FA factor, then email access is equally powerful for users with and without 2FA - access to email equals access to all factors of authentication for an account. For secure two-factor authentication, we require a completely different factor for 2FA, so that there is not a single point that allows compromising an account.

I replied to them explaining how this isn't exactly true, and how their current 2FA requirements would be no different to email in terms of protection and vulnerabilities. I also made sure to point them to concerns and complaints from its user base, as well as asking them to reconsider these measures for regular users.

It has been a week since my reply, and upon checking my ticket just now they had automatically closed it!

It appears that Github has made their decision and DOES NOT CARE what users think and does not feel like addressing any of our concerns. I have reopened the ticket and await their response. I will provide updates if they respond.

I've already migrated everything to GitLab. I will cancel my copilot subscription as well if my account gets locked by the deadline.

[kuroodo]

They just replied back. Here is the full reply.

For our purposes, GitHub defines the two factors in 2FA as "something you know" (your username & password combined as your account credentials) + "something you have" (a TOTP app, SMS number, security key, passkey, etc.). We strongly encourage users to set up multiple authentication factors whenever possible, as a general practice and as a means of recovery if necessary.

Using a secondary email address falls back into the same band as "something you know" category, rather than "something you have" that generates a time-sensitive token based off of a stored secret. You've outlined all the ways that you could potentially lose access to a device or physical security key (which is again why we encourage users to configure multiple factors which can be invalidated if lost and/or used for recovery purposes), but it stands to reason that it's also possible that your secondary email account could become compromised as well.

GitHub will continue to improve upon and provide additional authentication options as we move forward, but we have no plans to implement secondary email as an authentication method or to change course on our decision to enforce 2FA.

Someone please correct me if I am mistaken. There is no difference between getting a time-sensitive token via, for example, SMS and email. They also contradicted themselves by equating their required 2FA methods and email 2FA, stating that both can be equally compromised. So why the hell would they not allow us to use email as 2FA?

They also mentioned that I should configure multiple factors. I'm not some security firm or big organization that has the resources or expertise to manage all of this. I'm just a regular user. I don't want to go through all of that hassle, nor do I have a need for so much damn security.

[supervisitor]

... the real reason: they wants to know your mobile number. email addresses you use one or more, you do change it like your needs, but with your mobile they can match your profile more exact than any other selector, because your mobile you do not change much to often! 😉

[joeyipjoeyip]

Exactly!

[avinmaster]

GITHUB PLEASE DON'T ENABLE F@CKING 2FA!

[metux]

Github did a bad job in communicating the options, and they just overran millions of users by their rude rollout enforment.

Actually it's quite easy to do it from a plain pc this way:

https://github.com/orgs/community/discussions/49715#discussioncomment-7068931

It's a bit annoying, but managable. You don't need any extra devices or apps. Standard Linux tools are sufficient.

[kuroodo]

Lol I shouldn't need to have to install and set up 50 different things just to use GitHub. I'm not some big firm nor require maximum security.

Neither do I want to limit my account access to a single system, and neither do I want to risk completely losing access to my account if something happens to my system holding my 2fa or I lose my backup keys.

I left for GitLab. They have email 2FA

[PiKeyAr]

I also left for GitLab.

metux, it's not about how easy it is to set up 2FA or how well it was communicated, it's the fact that 2FA is now mandatory and not opt-in. This is unacceptable.

[metux]

Yes, the actual problem is how they're doing it. And that certainly leaves it traces, we won't forget that, and won't trust them ever.

I've actually considered renting lots private repos as well as asure compute resources, but now I'm done with that.
This company has proven itself at unreliable and not trustworthy.

[PiKeyAr]

We’re sorry to hear you’re not interested in taking advantage of the protection 2FA provides, but we appreciate your feedback. GitHub has determined, on the basis of your account’s contributions and their importance to the software ecosystem, that your account requires 2FA. There are currently no exceptions to this requirement.

If you do not enable 2FA within the 45 day setup period, and allow the 7 day grace period to expire, you will not be able to access the web UI of GitHub.com any longer. If you attempt to access the website, you will be asked to enable 2FA before proceeding.

Tokens that belong to your account (Personal Access Tokens, as well as OAuth tokens issued to applications to act on your behalf) will continue to function since some critical automation depends on those tokens. Enabling 2FA does not revoke or change the behavior of tokens issued for your account. However, locked accounts will not be able to authorize new apps or create new PATs until they've enabled 2FA.

    Why isn't email 2FA an option?

Your account's email address is already used for password reset, which is a form of account recovery. If an attacker has access to your email inbox, they can reset the password for your account and pass the email-based device verification check, effectively reducing your account's protection to a single factor (email inbox access).

We require a second factor to prevent this scenario, meaning that second factor must be distinct from your email inbox. When you enable 2FA, we will no longer perform email verification on login.

You can find additional information about our decision to require two-factor authentication [here in our documentation](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-mandatory-two-factor-authentication).

This ticket will be closed without further response, but we’re happy to help if you decide to enable 2FA and need specific assistance with [that process](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication).

Best regards,
GitHub Support

Unbelievable.

[kuroodo]

If an attacker has access to your email inbox, they can reset the password for your account and pass the email-based device verification check, effectively reducing your account's protection to a single factor (email inbox access).

Lol what a load of bull. Even if an attacker somehow managed to get my email password, they still wouldn't be able to log into my email account without going through some authentication steps which would also send alerts to all of my devices AND to my other emails of the attempted login. So even if an attacker gained access to my computer's files (say through a malicious file), they still wouldn't be able to get direct access to my account unless through my own computer. So really there'd only be a single vector of attempted attack.

Whereas with 2FA, all an attacker needs to do is trick me into gaining access to my computer or phone, or services provider to give access to my sim. Unlike email, that's it. No further steps required. Worst yet, they now have another vector of attack which is to gain access to the security/backup codes.

[kuroodo]

What I find hilarious too is, for example, Epic Games allows email 2FA despite how prone it is of a target for hacks and attacks. I'm talking accounts used for actual commercial products using Unreal Engine here.
Someone gaining access to your Epic Games account would mean that the attacker would have access to all of your Unreal marketplace library, and probably any published marketplace assets. If they change your password, you could potentially lose access to thousands+ dollars worth of assets and more.

Epic isn't an idiotic company and trusts users with the ability to leave their accounts secure. It's insane that Epic allows email 2FA but Github doesn't.
Hell, google doesn't even require 2FA for the Google Play Developer Console. If someone gains access to this, I would be absolutely f*****. I have not yet had any security issues with my developer account in the past 5 years. Why? Because like I mentioned earlier even if you managed to somehow get my password, one does not simply log into my gmail account with just my email and password.

[PiKeyAr]

It's absolutely insane they have the balls to respond like that. They treat their users as complete idiots. The same reasoning they use to dismiss email 2FA as insecure could apply to SMS, which they happily allow.

It's also so ironic that they're only restricting access to the website. They're cutting off people from discussions, issues etc. BUT they'll still allow the old auth tokens!

I don't doubt there are deeper reasons behind this decision, which they aren't willing (or legally allowed) to talk about. F Microsoft and everyone who supports this crap.

P. S. This discussion was closed because apparently it's "self promotion" LOL. The repo isn't even mine, I just forked it! Talk about grasping at straws.

[PiKeyAr]

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⡄⢻⡆⠀⠀⠀⠀⠻⣦⡿⢰⡟⠀⠀⠈⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⡄⢿⡆⢀⣤⣤⣤⣿⠃⣿⠁⠀⠀⢠⣿⠀⢀⣠⣤⠶⠶⠶⡶⣤⣀⢀⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢿⣌⣿⣿⣿⣿⣿⣿⣾⣿⣶⣶⡶⢾⣿⡶⠟⠉⠀⠀⠀⠀⠀⠈⢻⣏⣿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣀⣀⣀⣀⣿⣿⡿⠛⠋⠀⠀⠀⠀⠈⠙⠻⢿⣅⠀⠀⠀⢀⣀⣠⣤⣤⣤⣤⣿⣿⣧⣤⣄⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⢀⣀⣠⣴⠿⣯⠉⠉⠉⠉⢉⣽⠟⠀⠀⠀⠀⣀⣠⣤⡴⠶⠶⢦⣿⣷⣶⠟⠋⠉⠉⢉⣀⣠⣤⣤⣶⣾⣛⣛⣛⣷⡄⠀⠀⠀⠀
⠀⢀⣴⠟⠉⠉⠀⠀⠹⣇⠀⠀⣠⡟⠁⠀⢀⣠⡶⠟⠋⠉⠀⣀⣀⣠⣤⣤⣿⣿⣷⣴⠶⢟⣻⣿⠿⣻⣿⣿⣿⣿⠛⠟⠻⠳⣦⠀⠀⠀
⡾⠛⠁⠀⠀⠀⠀⠀⢸⡇⠀⣼⠏⠀⠀⠀⠛⠉⠀⣠⣤⡶⢟⣿⡿⠿⠟⠛⠛⣛⣿⣿⣿⣛⣩⡴⠟⢻⣿⣿⣿⣿⣿⣆⣀⣼⡟⠀⠀⠀
⣷⠀⠀⠀⠀⠀⠀⠀⢿⣇⣰⣿⠀⠀⠀⠀⢀⣴⠟⠉⣡⡾⠛⠁⣀⣤⣶⣾⣿⣯⣉⠁⢉⣿⠉⠀⠀⣿⣿⣿⣿⠿⠿⠛⣹⡿⠀⠀⠀⠀
⠸⣧⠀⠀⠀⠀⠀⠀⠀⢹⡏⠛⠀⠀⠀⠀⠛⣡⡶⠟⢋⣤⡶⠛⢫⣿⣿⣿⣿⣿⣿⣷⠾⣿⠟⠛⠛⠛⠉⠁⠀⠀⠀⣰⡟⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⢘⣿⠀⠀⠀⠀⠀⠘⠿⠿⠟⠿⠷⣤⣤⣼⣿⣿⣿⢿⣟⣫⣥⠾⠋⠀⢠⣄⣀⣀⣠⣴⠶⠿⢯⡀⠀⠀⠀⠀⠀
⠀⢿⡄⠀⠀⠀⠀⠀⠀⠘⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⠶⡶⠾⠿⠿⠿⠟⠛⢋⣽⠟⠀⠀⠀⠈⠉⠙⠛⠋⠀⠀⠀⠀⠹⣦⡀⠀⠀⠀
⠀⠈⣿⠀⠀⠀⠀⠀⠀⠀⢻⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣴⠾⠛⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣸⣷⡄⠀⠀
⠀⠀⣿⡆⠀⣀⣠⣤⡀⠀⠘⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣀⣤⣴⠶⠟⠋⢉⣼⠇⠀⠀
⠀⠀⠸⣷⡾⠋⠁⠘⣷⠀⠀⢹⡇⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣤⣤⣤⣤⣤⣤⣤⣤⣤⣶⠶⠛⠛⠛⠋⠉⣀⣀⣤⣴⠞⢻⣿⠀⠀⠀
⠀⠀⣼⠏⠀⠀⠀⠀⣿⠀⠀⠈⣿⠀⠀⠀⠀⠀⠀⢠⡾⠟⠉⠉⠉⠉⣉⣉⣉⣉⣩⣤⣤⡴⠶⠾⠿⠛⠛⠛⠉⣉⣁⣤⣴⠾⠃⠀⠀⠀
⠀⢸⡏⣠⣄⣠⡀⠀⣿⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⢿⡅⠀⠲⠛⠛⠛⠛⠋⠉⠉⣉⣀⣤⣤⣴⣶⠶⠶⠶⠞⠛⢛⣿⣏⠻⣦⡀⠀⠀⠀
⠀⠈⣻⡟⢸⣿⣥⣴⠏⠀⠀⢠⡿⠀⠀⠀⠀⠀⣀⠈⠻⠷⠶⠶⠶⠶⠶⠶⠟⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⢀⣴⠟⠁⢻⣆⠘⢷⣄⠀⠀
⠀⣰⡟⢀⣾⡏⠀⠀⠀⠀⠀⢸⣇⠀⠀⠀⠀⠀⠙⠷⢶⣤⣤⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢻⣿⠀⠀⠀⠙⢷⡄⠻⣦⡀
⢰⡟⢀⣾⢻⡇⠀⠀⠀⠀⠀⠈⢿⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⡇⠀⠀⠀⠀⠈⠻⣦⡈⢷
⡿⢠⡿⠃⢸⡇⠀⠀⠀⠀⠀⠀⠈⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣠⡾⠛⠻⠷⢿⡇⠀⠀⠀⠀⠀⠀⠈⠻⣦
⣳⠟⠁⠀⢸⣷⠀⠀⠀⠀⠀⠀⠀⣿⠀⢀⣀⣀⣀⠀⢀⣤⣶⠶⠶⣶⣶⡶⣶⡿⣯⣉⢩⡿⠋⠀⠀⠀⣀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠘
⠏⠀⠀⠀⠸⣿⠶⢦⣤⠶⠶⠾⢛⣿⠟⠛⠋⠉⠛⠛⠛⠉⠻⣦⣰⡟⢻⣦⣿⣦⣬⣿⣿⢵⣶⣶⣟⣻⡋⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢸⣇⣀⣀⣀⣀⣀⣸⣇⢀⣀⣀⣀⣤⣤⣴⣶⡶⠾⣿⣿⣿⠀⠀⢻⣶⣶⠄⢺⣿⠿⠿⠿⠇⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⢸⣿⣽⣭⣭⣽⣟⢻⡟⢻⣿⣯⣭⣤⣤⣤⣄⠰⣿⣿⡿⠿⣦⣀⣾⠃⠀⠀⠀⠀⠀⠀⠀⠐⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠸⣿⠉⠛⠛⠛⠛⢸⡧⠙⠉⠉⠉⠉⠉⠉⠁⠀⠀⠀⠀⠀⠈⠙⠁⠀⣀⣀⣠⣤⣶⠾⠟⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

[ghost]

Github doesn't give a fuck about their users, move to a different vendor like Gitlab and don't let their garbage policy fly.

[kuroodo]

I have a day or two before my account gets permanently locked forever. Just want to say it's been fun while it lasted. While I only contributed to projects by participating in issues, feedback, and bug reporting, I was really looking forward to actually contributing code for the first time aside from my own open source projects. Guess I'll do that via projects hosted on GitLab. It's still a big shame though.

I've moved to GitLab, and replaced Copilot with Codeium (better than copilot anyway, and free).

[XenoTheStrange]

I was permanently locked out of my Microsoft account and lost all purchases due to 2fa using mobile, I don't want to take that risk on github. At least allow verification via email if you're going to force this nonsense.

I have more than one email address, by the way. Github doesn't need to worry about me reusing my password-reset email for their forced 2fa.
The "passkey" option might be an ok alternative since I can still use my password manager as normal.

[avinmaster]

Stop that shet, remove this requirement.

[Prurite]

Stop that shet, remove this requirement of phone 2FA app / SMS on a limited country list only