Ask HN: Git hosting sites that do not require 2FA?

Your decision makes me sad.

GitHub is doing something the world needs: putting better security on a huge chunk of the open source software that is shared and relied upon by literally all of humanity.

Any repo, anywhere, has the chance to become a part of the open source ecosystem. Strongly authenticated developer accounts on those repos is critical for everyone's security. It sucks that we are here, but here we are. Password managers are almost enough to save us, but not quite.

I think it is fair to complain about particular factors of 2FA (e.g. TOTP or Yubikey or iPhone Passkey or SMS or whatever). And it's fair to complain that the session timeout on a strongly authenticated persistent session cookie should be user-managed (30 days? no problem! 90 days? I trust my device enough for an API key, why not a cookie?).

And all your command-line stuff is already API key-based on GitHub...

But good 2FA offers real security against a lot of threats. I hope more people embrace it.

000ooo000 · 2 years ago

Another commenter below used the phrases high and low value accounts which gets to the crux of why 2FA is a PITA (for me). GitHub is a low value account for me. It's basically Pinterest for code; I track interesting repos, sometimes I raise an issue, and I have dark mode turned on. I have 2-3 garbage private repos that I don't use, so if my account was compromised, it'd be like this:

https://media.tenor.com/vJLaS5etgRwAAAAd/shit-wow.gif

It would be like if Reddit started requiring 2FA to 'protect my account'.

If I was using GH in a professional capacity, this would be different. But I guess I resent that I don't get to make the choice. Security Daddy at GitHub thinks I'm too stupid.

Deleted Comment

>I have my password manager and can login with 1 click to all my sites. 2FA is always a pain in the ass and always extra effort on something my password manager already protects me from.

So I think there are a few potential issues with this argument based on assumptions you're making. I'd argue this isn't entirely true because:

1. Many password managers allow you to manually copy the password into your clipboard, which mean you could paste it somewhere that's unsafe / untrusted. Someone could then use this password to authenticate as you. Many sites disallow token reuse, so once used if you accidentally pasted that somewhere as well an attacker couldn't reuse the token.

2. Similarly, if someone has managed to exfiltrate login details you provide without being able to also obtain the session cookie sent back, and the site enforces one time use of MFA tokens, then the MFA token can also avoid a replay attack of your login details.

I'll admit the second one may be a bit contrived, because if they can exfiltrate login details it seems likely they could also just obtain the session cookie. But if said cookie is tied to a certain IP address, then that cookie is useless to them and they wouldn't be able to replay the credentials.

xbar · 2 years ago

paxys · 2 years ago

It's a weird thing to be hung up on. Set up 2FA, remember your device, and that's it. You get added security at no cost to ease of use.

larschdk · 2 years ago

I'm paranoid after enabling 2FA after failing once to save the recovery codes correctly. Not sure what actually happened exactly, but when I managed to get back in despite odds, the shown recovery codes were _different_ from the ones i had saved locally.

Losing your authenticator and recovery codes means the account is lost permanently. This feels like a bigger threat to my account security than not having 2FA. Not saying it _is_ a bigger threat, but it feels like a bigger threat.

You have to simultaneously lose every 2FA device, the recovery codes, and every active session of the service on every computer to get locked out. And even then, there is usually always an account recovery process you can go through. It really isn't all that risky.

You know a much easier and way more probable way to lose an account? If the password gets leaked/intercepted and there's no other security check.

eddythompson80 · 2 years ago

Most websites you can add multiple 2FA options. Get a yubikey (or two) and set it up as a backup. Then just keep your yubikey somewhere safe in your house. I keep it where I keep my passport and other stuff like that.

Think I'd rather have stupid password complexity and update requirements foisted on me than 2FA. Takes an 8 second activity and turns it into 30-60s when it's by SMS or email OTP. Especially frustrating when it's a known device, too.

Back on topic though: I run a local Forgejo/Gitea instance which doesn't have 2FA (or the maturity of the bigger forges if we are being honest). Could be worth a look if you are up to self hosting it.

mortallywounded · 2 years ago

Buy a $5/month Linode (err, Akamai-node?) and `git init --bare /srv/whatever.git` and git clone yourdomain:/srv/whatever.git

Limitless private git repositories.

ochronus · 2 years ago

If you want to go fancy, get a bigger node and self-host GitLab.

jdc0589 · 2 years ago

used to be some decent open source web UIs you could host too. haven't looked in AGES though.

cgit is good if you want a read-only web ui.

Also, git has a built in web server.

https://git-scm.com/docs/gitweb

stavros · 2 years ago

Gitea is good.

TheSwordsman · 2 years ago

mgillett54 · 2 years ago

Some platforms let passkeys count as password+2FA which could be an option if you use a password manager that supports it.

I use passkeys in 1Password for GitHub access

GitHub supports passkeys, and your password manager might too. I like the flow better than passwords, I just click "log in" and it goes.

jjgreen · 2 years ago

GitLab (which has better CI too), Codeberg (simpler, only public repos).

roboben · 2 years ago

Define better CI? It is much slower and way more expensive than GHA with all its free M$ money.

You get 2k minutes free a month which is enough for my side projects. Not used GH for a while, maybe they've upped their game ...