Disable / Remove email "Device verification" prompt on login (not the 2FA)

From what I understand, this problem has been going on for several years. Are there any alternatives to github?

Sure you can host your own git/gerrit server.

+1
Hope this will be resolved sometime in the future…

:wave:t2: Hey @pd-robgee @MBODM @pc13com20222 @Vlod-github & @seeker1983

You’re all first-time posters - so welcome to the forums! Thanks for sharing your feedback on this post. I definitely hear the frustration - as this post goes all the way back to August 2019.

I did some digging and found that “device verification is an added security measure to help prevent an account takeover (ATO). When a user has reused credentials across platforms, a bad actor may try to use those credentials to access the user’s GitHub account. To prevent this, the actor must verify the device they are using in addition to providing a valid username/email and password.” – Y’all probably already know that so if there are more specific challenges we can try and help with, please share details.

If this is still a pain point and you want to share product feedback - you could add onto this feedback thread: Move verification code upwards in emails – or start a new post in the feedback/discussion general category.

Not likely the solution you’re looking for – but wanted to share what we can. Thanks for posting here! We appreciate all the feedback.

Hi,

has this maybe something to do with IP based security aspects?

In example in Germany it´s normal behaviour for most ISP´s to disconnect and reconnect your connection once every 24 hours. Even for flatrates. Maybe the fact, that every 24h a new IP is negotiated, enforces GitHub´s security mechanisms to make the user verifying his account.

Maybe this has some influence. Just an idea.

1 Like

A REQUIREMENT? Never. I exist without using 2FA on all sites that I can NOT use 2fa. I hate it. I hate it. I hate it. I hate it. I don’t wanna give my phone or any other contact date to ANYBOIDY much less microsoft.

Yes, 2FA is a requirement in the modern internet landscape. Why? Because passwords are a bad idea and users are even worse at picking them. The proof of this are the millions of accounts that are breached every single day.

I get that you hate 2FA, but you’re making your life quite hard by avoiding all online services that require it. Especially since

simply is not true. Only if you pick SMS as your second factor then sure, duh, you have to provide your phone number.

However, at least at GitHub, there are plenty of options available which require no additional exchange of personal data: use a YubiKey or use TOTP. Both methods require zero personal information and work just fine. If you use them together with a password manager, they also do not require extra effort upon login.

And I can assure you that screaming in the forums over here won’t help either. If you got real questions about 2FA, feel free to ask them here or open up a new topic. Otherwise, please refrain from just whining. I think the tone in this thread is more than clear enough. And if you don’t want to use GitHub - don’t. No one forces you to.

1 Like

This post was flagged by the community and is temporarily hidden.

Yea it’s pretty disgusting this is still an issue & we’re being completely ignored by GitHub even though this request is years old now & happens to be in the top 15 of most discussed issues EVER in the GitHub community.

This is ofcourse not even including the NUMEROUS complaints in other sites & forums regarding this such as Reddit.

BlockquoteYes, 2FA is a requirement in the modern internet landscape. Why? Because passwords are a bad idea and users are even worse at picking them. The proof of this are the millions of accounts that are breached every single day.

Blockquote

Stop exaggerating you are completely wrong Mr.company man… How can you explain the fact that I have 2 bank accounts with 2 popular HUGE banks & they allow me to log in WITHOUT 2FA?? Different IP? Doesn’t matter, different device? Doesn’t matter, 2FA is an option that they’ve let me as an adult make my own decision about.

I can also say the very same thing, there are BILLIONS of accounts that are not compromised & are doing quite fine, why not mention that part?

How can you justify that GitHub/Microsoft wants to store peoples phone numbers & force 2FA when my banks who deal with MONEY, billions of it, don’t force 2FA?? What “company man” reply are you going to conjur up this time?

Did you already forget what Facebook was found guilty of twice?! Selling,exposing private information to other companies including private phone numbers. There’s nothing more valuable to a company hoarding peoples private information than personal phone numbers. Nothing even comes close.

This tiny percentage of people trying to defend GitHub/Microsoft’s ploy to fill their data base with private information/phone numbers by forcing us on 2FA with no choice again, are people who disregard internet personal privacy & are uneducated with such subjects, or are GitHub/Microsoft employees trying to stick up for this pathetic decision.

GitHub have deserted us, I mean to completely ignore all their own user complaints let alone the ridiculous amounts of complaints on other sites/forums regarding this shows just how out of touch they are from their users. They have been gobbled up by the big boys & are just little pigeons who work for Microsoft now with absolutely no say.

I amongst many others cannot wait till some other platform ousts GitHub out of the picture completely. I’ll celebrate till I drop when this happens & mark my words it will. People are already working on this very mission & don’t forget these are coders/programmers we’re talking about, they’ll make it happen.

The robotic predictable replies from their so called support team here is blatantly trying to shove our opinions under the rug. I’d rather no reply at all than these reply templates they use with their over-cheery attitudes.

I assume you live in a country with weak customer protections. Here in the EU banks are generally required by law to require 2FA.

The key thing you need to understand is that there’s no need to use a phone number for 2FA. Personally I don’t understand why any web platform is still offering SMS for 2FA, it’s weak. Use TOTP, which only needs you to copy a secret into a TOTP implementation of your choice once, and no connection at all after. And do backups, the down side is that unlike with SMS you can’t ask your provider to give a secret back to you if you lose it.