D Github contributors - enable 2 factor authentification

Jonathan M Davis via Digitalmars-d digitalmars-d at puremagic.com
Thu Aug 11 00:54:48 PDT 2016 

On Thursday, August 11, 2016 07:33:45 qznc via Digitalmars-d wrote:
> On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis
>
> wrote:
> > I just enabled it because of this thread, but in general, I'm
> > paranoid about two-factor auth and don't use it for much. My
> > domain registrar (and thus DNS) is one of the few places that I
> > have it enabled. I'm just too worried about getting locked out.
> > The very thing that makes it more secure significantly
> > increases the risk of you having a problem that locks you out.
>
> This thread pushed me to enable it for Google and Github. The
> fear of lock out plagues me as well.
>
> However, I asked a few friends and so far I have found nobody who
> was actually locked out. The fact that they all give you a few
> backup codes for login helps.

I would expect the lockout issue to come from issues with your phone. I
almost got locked out by my domain registrar previously, because I changed
phone providers, and stupidly, that meant that I couldn't get the SMS
messages anymore - even though my phone number hadn't changed. Fortunately,
I was finally able to get it fixed with them, but it took a while. But I'd
be even more worried about depending on an app on your phone (like is
sometimes the case with two-factor auth), since that won't necessarily then
work with another phone with the same number, in which case, changing phones
could lose you access - and while you might be able to plan for that by
doing something like turning off two-factor temporarily when switching
phones, if your phone died, you won't have been able to do that. As long as
nothing goes wrong with your second factor, you'll probably be fine and
won't get locked out of anything, but as soon as something _does_ go wrong
with your second factor, you risk being locked out with no recourse.

And if the company that you're dealing with for two-factor actually lets you
get around the two-factor when you have a problem, then that opens the door
for someone else to talk them into letting _them_ in (which is of course
what the second factor is supposed to prevent). So, you either end up with a
situation where you're fine as long as your second factor doesn't have
problems but are screwed when it does, or you're still at risk of someone
else getting into your account in spite of having the second factor.

So, while in principle, two-factor auth is a great idea, there's definite
risk involved with it that makes me very leery of using it. And it all it
takes to really screw you over is getting locked out once.

- Jonathan M Davis

More information about the Digitalmars-d mailing list