GitHub 2FA violates the American Disability Act

[righthalfplane]

Select Topic Area

Question

Body

GitHub 2FA violates the American Disability Act as there appears to be no simple automatic way for a disabled person who can not use or has no phone to use 2FA. If there is a simple way - what is it ?

[DNin01]

Well, the good news is there are also desktop apps such as KeePassXC out there. Maybe one of those would be a good fit.

You might also get some value out of GitHub's 2FA FAQ.

[62f]

The foolish man built his house upon the sands

and the house came tumbling down.

[62f]

To be penultimately clear, I haven't had ANY trouble using authentication apps. My apparent problem is with and only with GH's sucky RE-onboarding of existing users like they're nothing more a jar of pests such as botfly maggots. But I will chase down the 2FA engines to see if any of them can actually read the tld-uri of sites we're attempting to log into, without upsetting GH's Inquisition.

[righthalfplane]

I looked at KeePassXC just how does that help ? It appears to be a simple password manager.

[DNin01]

Yeah, it is, but I do believe there might be extensions that add TOTP (authenticator app) functionality to it. I haven't looked into it, though.

Cloud-based password managers such as 1Password and Bitwarden also support TOTP but are paid. I'd also advise setting up 2FA for a cloud-based password vault if you do use the TOTP feature.

[linuxlawson]

KeePassXC is pretty simple once you get it set-up.

Here is a Good Tutorial for using KeePassXC as your Authenticator App: KeePassXC Tutorial

[62f]

You gloss over a step as if it's trivial: to install, which it's not.

```fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86/APKINDEX.tar.gz (1/5) Installing libpcap (1.10.1-r0) (2/5) Installing talloc (2.3.3-r1) (3/5) Installing freeradius-lib (3.0.26-r0) (4/5) Installing gdbm (1.23-r0) (5/5) Installing freeradius (3.0.26-r0) Executing freeradius-3.0.26-r0.pre-install Executing freeradius-3.0.26-r0.post-install Executing busybox-1.35.0-r17.trigger OK: 36 MiB in 45 packages

~ # apk add keepassxc
(1/79) Installing hicolor-icon-theme (0.17-r1)
(2/79) Installing icu-data-full (71.1-r2)
(3/79) Installing libmagic (5.41-r0)
(4/79) Installing file (5.41-r0)
(5/79) Installing libxau (1.0.9-r0)
(6/79) Installing libxdmcp (1.1.3-r0)
(7/79) Installing libxcb (1.15-r0)
(8/79) Installing libx11 (1.8-r1)
(9/79) Installing libxext (1.3.4-r0)
(10/79) Installing libice (1.0.10-r0)
(11/79) Installing libuuid (2.38-r1)
(12/79) Installing libsm (1.2.3-r0)
(13/79) Installing libxt (1.2.1-r0)
(14/79) Installing libxmu (1.1.3-r0)
(15/79) Installing xset (1.2.4-r0)
(16/79) Installing xprop (1.2.5-r0)
(17/79) Installing xdg-utils (1.1.3-r3)
(18/79) Installing dbus-libs (1.14.8-r0)
ERROR: Failed to create usr/lib/libicuuc.so.71.1: Connection aborted
ERROR: icu-libs-71.1-r2: IO ERROR
(20/79) Installing libpcre2-16 (10.42-r0)
(21/79) Installing qt5-qtbase (5.15.4_git20220511-r2)
(22/79) Installing mesa (21.3.9-r0)
(23/79) Installing libpciaccess (0.16-r0)
(24/79) Installing libdrm (2.4.110-r0)
(25/79) Installing expat (2.5.0-r0)
(26/79) Installing wayland-libs-server (1.20.0-r0)
(27/79) Installing mesa-gbm (21.3.9-r0)
(28/79) Installing mesa-glapi (21.3.9-r0)
(29/79) Installing wayland-libs-client (1.20.0-r0)
(30/79) Installing libxfixes (6.0.0-r0)
(31/79) Installing libxxf86vm (1.1.4-r2)
(32/79) Installing libxshmfence (1.3-r1)
(33/79) Installing mesa-gl (21.3.9-r0)
(34/79) Installing qt5-qtdeclarative (5.15.4_git20220514-r1)
(35/79) Installing libxcomposite (0.4.5-r0)
(36/79) Installing brotli-libs (1.0.9-r6)
(37/79) Installing libbz2 (1.0.8-r1)
(38/79) Installing libpng (1.6.37-r1)
(39/79) Installing freetype (2.12.1-r0)
(40/79) Installing fontconfig (2.14.0-r0)
(41/79) Installing wayland-libs-cursor (1.20.0-r0)
(42/79) Installing wayland-libs-egl (1.20.0-r0)
(43/79) Installing pkgconf (1.8.1-r0)
(44/79) Installing xkeyboard-config (2.35.1-r0)
(45/79) Installing libxml2 (2.9.14-r2)
(46/79) Installing libxkbcommon (1.4.1-r0)
(47/79) Installing qt5-qtwayland (5.15.4_git20220511-r0)
(48/79) Installing mesa-egl (21.3.9-r0)
(49/79) Installing avahi-libs (0.8-r6)
(50/79) Installing gmp (6.2.1-r2)
(51/79) Installing nettle (3.7.3-r0)
(52/79) Installing p11-kit (0.24.1-r0)
(53/79) Installing libtasn1 (4.18.0-r1)
(54/79) Installing gnutls (3.7.7-r1)
(55/79) Installing cups-libs (2.4.2-r2)
(56/79) Installing graphite2 (1.3.14-r1)
(57/79) Installing harfbuzz (4.3.0-r0)
(58/79) Installing libevdev (1.12.1-r0)
(59/79) Installing mtdev (1.1.6-r0)
(60/79) Installing libinput-libs (1.20.1-r0)
(61/79) Installing libjpeg-turbo (2.1.3-r1)
(62/79) Installing xcb-util-wm (0.4.1-r1)
(63/79) Installing xcb-util (0.4.0-r3)
(64/79) Installing xcb-util-image (0.4.0-r1)
(65/79) Installing xcb-util-keysyms (0.4.0-r1)
(66/79) Installing xcb-util-renderutil (0.3.9-r1)
(67/79) Installing libxkbcommon-x11 (1.4.1-r0)
(68/79) Installing qt5-qtbase-x11 (5.15.4_git20220511-r2)
(69/79) Installing qt5-qtsvg (5.15.4_git20220511-r0)
(70/79) Installing qt5-qtx11extras (5.15.4_git20220407-r0)
(71/79) Installing argon2-libs (20190702-r1)
(72/79) Installing libgomp (11.2.1_git20220219-r2)
(73/79) Installing sqlite-libs (3.40.1-r0)
(74/79) Installing botan-libs (2.19.1-r1)
(75/79) Installing minizip (1.2.12-r0)
(76/79) Installing pcsc-lite-libs (1.9.6-r0)
(77/79) Installing libqrencode (4.1.1-r0)
(78/79) Installing libusb (1.0.26-r0)
(79/79) Installing keepassxc (2.7.1-r0)
Executing busybox-1.35.0-r17.trigger
Executing eudev-3.2.11-r0.trigger
1 error; 168 MiB in 123 packages
~ # ```

What's worse is the support option:

Idiots!

[DNin01]

There are also browser extensions that have TOTP (authenticator app) functionality.

[righthalfplane]

The "KeePassXC Tutorial" was worthless - much too complicated - I needed a 10 line explanation which I found a minute of a 20 minute uTube video - to actually help people you need to make it as simple as possible and only tell what they need to know.

[ghostinhershell]

Hey @righthalfplane, I'm glad that you were able to find a video that pointed you in the right direction!

[FogoVoar]

What world are these people living in, since when did we start trusting passwords to third-party browser extensions?
This makes absolutely no sense, the whole 2FA thing should be optional, to be used by the tiny number of users who consider themselves security geniuses because they don't need to store their passwords in their own heads.

[benjiallen]

Hi @righthalfplane, thanks for the feedback.

Have you been able to resolve the issue you noted in the opening post? To be specific, are you able to sign into GitHub with 2FA?

If you're still having trouble, I'd love to learn more about the issue you are having. Are you looking for a 2FA solution which doesn't involve a mobile phone? If I have understood your problem correctly, Configuring two-factor authentication is a useful doc with a lot of options. I spotted a couple of options which help:

1. Security keys do not require a mobile app
2. Using a password manager which supports 2FA secrets or passkeys, and has a desktop client is another option

[kuroodo]

I recommend migrating your account to GitLab, which allows importing repos from GitHub. They do not force 2FA on their users like GitHub does. They also have email 2FA which in my opinion is the best and most secure form of 2FA for the average user.

[ghostinhershell]

Hey there @62f,

Are you having trouble opening the URL provided on your end? GitHub's Docs are public, and don't require you to sign in in order to view them.

[62f]

Hey there @62f,

Are you having trouble opening the URL provided on your end? GitHub's Docs are public, and don't require you to sign in in order to view them.

Nah, not a single issue. And the help button at the bottom? Just transports me to 2FnarniA-Land.

[ghostinhershell]

Hi @righthalfplane,

Just wanted to see if you got @benjiallen's message above and if the issue that you first reported when opening this discussion has been resolved?

If not, we'd like to learn more about the issues that you're having and any roadblocks that you're facing.

[62f]

@ghostinhershell dear Contact GitHub Support, is behind this:.

[62f]

Thanks so good :)

What's worse is that after feeding the Authenticator-du-jour its QR-code-Meal 🥘, and pressing the button to prettify and lint the recovery hashedy-hashes into a selectable/copy/paste í-frame, there's not á shadow of evidence of what to do next. So i'm gumped into pressing the back arrow, which stærts the infernal process all óver anew.

[62f]

LoL no, they aren’t. They might do equally as well be behind a paywall.

On Fri, Oct 13, 2023 at 8:53 AM Sarto Jama ***@***.***> wrote: Hey there @62f <https://github.com/62f>, Are you having trouble opening the URL provided on your end? GitHub's Docs are public, and don't require you to sign in in order to view them. — Reply to this email directly, view it on GitHub <#68928 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQJKVJJLXGG2DWVYZCJVF63X7FBU5ANCNFSM6AAAAAA5OLL4BQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>


[62f]

Tried to reply but was greeted with this: Anyway I’m already on GitLab as a code contributor for Alpine, out of necessity. The 500lb 🦍 in the room is that I’ve used GH for my GL login for quite some time now, and you suggest migrating but there’s nothing to migrate! 2FA was reported to be intended as a ˋnih!´ for the knights, I mean, 'coding contributors' ONLY and their kinsmen, I mean co-pilots, or whatever- but to I myself who hadn't EVER contributed a single scrap of code and is just a droll little beta tester, repository cloner/builder/compiler and technical-issue reporter, 2FA ˋshrubbery‘ was never said to been appearing. TK;DR But NOW I'm being locked out, & I'm almost certain there're others. Repeating in English : I can’t write code to save my life, nor would I try. But the devs I must deal with on GH do code, and many chose to fight the 2FA demon and remain bottled up in here. Are you also those and their coconspirators into the GL-cornfield, TOO, or are they simply trying to get away from their codeless counterparts?

…

On Fri, Oct 13, 2023 at 7:38 AM kuroodo ***@***.***> wrote: I recommend migrating your account to GitLab, which allows importing repos from GitHub. They do not force 2FA on their users like GitHub does. They also have email 2FA which in my opinion is the best and most secure form of 2FA for the average user. — Reply to this email directly, view it on GitHub <#68928 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQJKVJONPG7E4SBWOXT2I2LX7EY4XANCNFSM6AAAAAA5OLL4BQ> . You are receiving this because you commented.Message ID: ***@***.***>

[AwokeKnowing]

I recommend everyone leave github

They are now just become bullies and another Microsoft app.

They are unfit to host the open source community's work. Now they don't even let you decide how to authenticate. they force you to tie your account to SMS or some app.

Move on.

Github has lost it's way.Forcing 2fa against dev's will is EXACTLY the kind of behavior that made MS infamous. Why kill github? why don't you get it? MAKE 2FA OPTIONAL

[62f]

Dear @AwokeKnowing (James D Morris). RtfWm. Generally this entire 🧵 but more specifically the contributors' response to me, who suggested that I migrate to GitLab. So your latter contribution here's basically a double-post echoing exactly that solution. Problem I'm having with that is: that I've ALREADY done that LONG AGO before 2FA requirement and my GL authentication relies on LOGGING IN TO GH. tL;dR, I am also unable to 🪵in to my GitLab account.
We were told that GH 2FA would be optional until and unless we contributed code to any GH project. Well I cannot code, I'm just an old scriptkiddo, have never written an ounce of code except for myself, by myself, and to myself. I had this exact same problem with Twitter when it went totally Dark-Web and for my unrequited efforts received a lifetime BAN from that board. I Can still log in to 'X', but cannot post, cannot like, share, reply, nor change ANY of my account preferences/settings, and when I log in it tells me that I am persona-non-wanted 'because I broke the "X Rules" , which is a bald face lie because when I was banned X didn't even exist and Elon Musk wasn't even considering purchasing it. Nevertheless I figured that he would and was bending the bejeebus out of his ear. That's how much insider info I deduced on my own. I'm 100% fine with being in eternal damnaXion but the real issue I'm suffering from is the other UNRELATED websites which I used Twitter account for as authentication. Due to my lifetime exile, I CANNOT use those anymore either. Super unfair, but its life-support is from ads, and I can still read posts (but neither share nor follow, and the 2FA works so I couldn't care less. on to the crux of the matter:
GitHub's 2FA problem isn't with their decision to use authenticators to read QR codes, I'm a test pilot and my specialty is workarounds, which often involves retrograding. And I'm the best at what I do because I pick and choose my battles carefully. But this is being thrust at me, and it's do or die. The 2FA requirement sets a cookie whether based on my username only whether or not the password is correct, and sometimes it doesn't even take a password attempt to SET the permanent cookie. I thought that incognito mode would solve the problem but it didn't, doesn't help at all, and thereforetowithafter I am fresh out of ideas. Doesn't matter whether SMS charges people per text or not, because of they've got a plan with unlimited texts then regardless, they're still paying their ce££ s€₹vi¢€ ₽₹ovid€₹$ a ₽₹€mium that €xt₹a ¢a₽a¢it¥, which pits my clipboards' shorter than a goldfish-memory marathon memory against the fake-surveylike inquisitional: "Remember me and my devices so I won't have to reauthenticæt myæslf?" with them trying my patience to beat their 15 second timeout clocks while delivering only 5 minute mémorisations, ruins any coste-ffectiveness with negative gains in a NY- hurry.
To Do: include comprehensive TL;DR version of above truth tables.

[ghostinhershell]

Hey there @righthalfplane,

In response to this discussion post, and for anyone else that does have concerns about the accessibility of requiring two factor authentication when accessing GitHub, our Accessibility team has amended the Two Factor Authentication Frequently Asked Questions 🔑 🗝️ post to include the following heading: What options do you have for users who rely on assistive technology and users with accessibility requirements?. I'll also include the text here for reference:

GitHub provides numerous options for two-factor authentication (2FA), and these provide a wide range of flexibility for users with disabilities.

GitHub strongly recommends the use of time-based one-time password (TOTP) applications. There are a variety of TOTP applications for desktop and mobile devices. Users can do their own research to find a TOTP application that best meets their accessibility needs. To get started, search for “TOTP app” in your browser. You can also refine your search by adding keywords like “free” or “open source” to match your preferences.

If you have a mobile phone and live in a region where we support SMS messages, getting set up with SMS does not require any additional apps, and you can rely on the assistive technology you already have on your mobile device.

If efficiency is important to you, consider using passkeys to sign in after you’ve configured 2FA. Passkeys allow you to sign-in with very few steps as they meet both password and 2FA requirements. Using passkeys in conjunction with your preferred password manager enables a fast and efficient experience across all your devices.

Questions and feedback about the accessibility of a third-party application should be directed to the application provider. If you have feedback about the accessibility of GitHub products, please connect with our community using the accessibility community discussions page.

Thanks!

[62f]

You think a blind person's going to want to read and understand all that, especially with all the colloquialistic-technobabbly TerminologicalAlphabetSoup like " 'phishing' "?
(Source)

[62f]

Anyway, it's totally&utterly irrelevant.

[righthalfplane]

HI @ghostinhershell ,

Your answer is meaningless double talk - you say, with no proof, that you have them covered - Post the a address of a page that a blind person can use to generate the 2FA and use it - off course it means nothing until a few blind people verify that with no other help that they could actually get things working.

[benjiallen]

@righthalfplane do you have a particular barrier you are encountering, or do you just dislike 2FA and are hypothesizing about potential accessibility issues? It's hard to tell from your feedback.

It would be very helpful if you could point out a specific issue which you have encountered.

I believe I've addressed the original question you had in the opening post. See my advice above.

[t-ranalli]

Hi @ghostinhershell,

The policy you link to states that code contributors are required to use 2FA but @righthalfplane said they don't write code; they're a tester. Is there a way to adjust the setup of @righthalfplane's Github account from Github's end so they're not required to use 2FA?

[62f]

HI @ghostinhershell ,

Your answer is meaningless double talk - you say, with no proof, that you have them covered - Post the a address of a page that a blind person can use to generate the 2FA and use it - OF* course, it means nothing until a few blind people verify that with no other help that they could actually get things working.

[righthalfplane]

Yesterday afternoon while I was searching for something (I should have saved it, but I was searching for something else), I ran across a email from a blind person who was complaining that people would not point him at the things that he actually need - so he wasted much time. THAT is what people did to me. I have been on the "internet" since February 1976 and I have written network applications for Los Alamos National Laboratory. I wasted 3 or 4 hours getting things to work, because I do not have a cell phone.

Like I said above -

The "KeePassXC Tutorial" was worthless - much too complicated - I needed a 10 line explanation which I found in the middle of a 20 minute uTube video.

The changes of a non expert working this out on his own is just about zero or even given help like I got - he would need a lot of persistence and some luck to get things going. There are other thread here where people document their problems and have failed at their last post.

You have taken a blind person into HomeDepot and said there you have everything you need to build your house - go to it.

[VIPLightning]

Seeing the staff's copy/pasted response is honestly pretty sad. What's worse, when a blind person is told to read the steps or guides with no clear direction on where to start or even how to get 2FA to work. My sympathy for people with disability. As I write this I now only 2 days of grace period until my account is locked forever because I refuse to enable 2FA. The moment you force people including me to use 2FA is the moment you crossed the line by telling us we can't access our data despite knowing our login because "screw you - that's why"

[62f]

•The moment you force people including me to use 2FA is the moment you crossed the line by telling us we can't access our data despite knowing our login because "screw you - that's why"

Now see here... I've been taking people to task on social medias eg.ie. YouTube, et.Al., and as anyone may (if investigators can still read them) determine (as per all my previous posts

clearly referencing only those in this thread, so focus, picky trolls-dearest, focus

), from which 'side' of this issue (if there are indeed any distinguishable sides to adopt) for whom I'm waging battle (Autobots and Decepticons, not so much are we yet)... and so as such am confined to express that the argument in question: being built upon incumbency of (insert adjective of import)-data, the relevance of those precious, ('existing', 'disappearing forever' accounts which are being irreversably-affected by the @dearly-afflicted
DOES INDEED SOUND EXACTLY LIKE A SOCIAL ENGINEER'S ATTEMPTS TO HACK INTO SOMEONE ELSE'S ACCOUNT.

So please, don't come dressed up as the exact thing of whom we're supposed to be fighting against here.
As long as someone similar to myself is around (and there are more of 'us' every day), you WILL be discovered;
C. the 'we' of "us", We are many. And from all of 'us' to the honest Abes trying to shift sentiment in their favor by preaching a revised Gettysburg Address, keep your personal emotional baggage out of the debate. It, both in the superlative sense and at the very least, is counterproductive.
-TYFSOK.

[62f]

In my line of work, it's now referred to as a "Sterile Cockpit". You caused pilot overload, and got the same response I would've given to any other crew member. Let it be done on earth as it is in the Heavens, we bray.

[VIPLightning]

DOES INDEED SOUND EXACTLY LIKE A SOCIAL ENGINEER'S ATTEMPTS TO HACK INTO SOMEONE ELSE'S ACCOUNT.

Funny now that you mention that. If that really was my purpose, I would be a billionaire and wouldn't be here. But do tell me where exactly in your right mind you jumped to that conclusion. When did suddenly become a thing where one is not supposed to have emotions put in this writing? Would you rather I type like an NPC instead? I really gotta see this and look forward to your answer while I'm sipping tea.

[62f]

DOES INDEED SOUND EXACTLY LIKE A SOCIAL ENGINEER'S ATTEMPTS TO HACK INTO SOMEONE ELSE'S ACCOUNT.

Funny now that you mention that. If that really was my purpose, I would be a billionaire and wouldn't be here.

So what you're

dumb enough to be

admitting is: that if emotional responses were nickels...? Or is it something much more complicated?

[62f]

[righthalfplane]

VIPLightning, your are correct. Note that Banks,Apple, Microsoft and uTube do not force people to use 2FA - It appears that GitHub has come up with this idea on their own.

[62f]

VIPLightning, your are correct. Note that Banks,Apple, Microsoft and uTube do not force people to use 2FA - It appears that GitHub has come up with this idea on their own.

Microsoft currently owns GutHub. Thereby, your own response, besides being an affront to another (of which I myself have identified as also having an invalid basis), does by itself rest firmly upon a particular foundation, the infirmity called: "circular logic". My question to you is, why would anyone waste even more time on an attempt at making a rebuttal to anything, especially of which, according to its author, is likely to be collapsed anyway or even become lost to time-immemorial in a couple of days according to its OP? Show us by placing these emoji stickers on top of it, exactly where the t r oll hurt you.
Care to try again?