opt out of user.device_verification_requested

I log in to github.com from the same device. For last couple of day github.com reports unknown device despite it is the same browder from the same range od dynamic IPs.

Is it possible to switch off this kind security check for my account?

17 Likes

Same problem. 2 factor auth is off. I don’t want this! How can remove the requirement?

7 Likes

Hi @am-per-sand,

Thanks for being here, If you’d like to disable the verified device requirement permanently, enabling 2FA on your account will allow you to bypass that requirement:

https://help.github.com/articles/configuring-two-factor-authentication

With 2FA enabled, be sure to add some fallbacks to ensure you don’t find yourself locked out:

  • Download your recovery codes. This is by far the best way to make sure you don’t get locked out of your account.

  • Set a fallback number. As long as your phone wasn’t lost, you’ll be able to regain access to your account in the amount of time it takes to receive an SMS.

  • Set up Recover Accounts Elsewhere. If you’re otherwise unable to authenticate, this feature allows you to verify your ownership of a GitHub account using a token stored elsewhere.

  • Add a security key Phone got stolen and you lost your recovery codes? Today is turning into a rough day, but you’ll still have access to your account if you have a FIDO U2F security key added to your account.

More information on configuring additional recovery methods can be found in our Help docs:

https://help.github.com/articles/configuring-two-factor-authentication-recovery-methods/

1 Like

@am-per-sand Are you talking about not wanting to receive the mail that notifies you of the login?

Thanks for thorough explanation Andrea. Contrary to your proposal I am lookin for a way to log in without the phone and without mail code , like to this account on GitHub Community Forum.

11 Likes

No, I am talking about the email with the code to necessary to login that is sent every time, despite I log from the same browser.

5 Likes

@am-per-sand ah, I see what you’re talking about right now. As Andrea mentioned, there is no way to turn these mails off. Why? I don’t know for sure - I don’t work for GitHub - but it’s probably due to the enormous amount of account takeovers these days, even on platforms like GitHub which are developer-oriented. And developers should know better - to use TFA.

I’d strongly recommend configuring TFA. On GitHub, you have a gazillion options: phone TOTP, SMS, recovery codes, fallback numbers and my favourite: U2F. There are no excuses not to start using TFA right now :wink: .

So I signed up with guerillamail and used my account for at least 3 or 4 years. Now suddenly they ask for device verification and I am permanently locked out. Github just randomly decided to lock me out of everything, pretty much forever. Nice to see that they thoroughly thought this through before enabling it.

10 Likes

@phorkoz welcome to the forum! I really don’t think there is any need to use such a negative tone towards GitHub while they just try to keep your account safe.

First of all, you should never tie any mail address you do not control to any account you actively use. If do decide to do that anyway, you risk locking yourself out. If you would like to use throwaway mail addresses, either buy a domain name and make sure you can re-activate the addresses or use the plus-notation many popular free mail clients support (https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html).

Secondly, as I’ve explained before it is a measure that is really needed. It is in both your best interest as well as GitHubs best interest to keep your account safe. I think GitHub are fully in their rights to help users keep their account safe if they fail to enable TFA themselves, and I also think GitHub should be able to trust it’s users to be reachable on at least one of the mail addresses they provided.

So, from now on let’s continue on a positive tone and stop calling out GitHub for a security feature designed to protect you. To get you back up and running I’d suggest contacting GitHub at https://github.com/contact as we can’t discuss account details in this forum.

Are you for real? I’m locked out of a long time account and you are criticizing my tone? I have waaaaay less nice things to say but chose to keep it civil. Github is fully in their right to delete everything and ban all users, yada yada. It may have been unwise to use a temporary email, except it was not a problem for years and quite important to maintain anonymity. Needless to say, I woke up to being so protected and safe that I can’t log in anymore. Maybe they’ll give me my account back, maybe they won’t. I can try that route or just make a new one. The road to hell is paved with good intentions and it would have been nice to have some warning that what amounts to 2FA is being auto enabled. No such warning was given. Are we going to ask for phone numbers and scans of IDs next? Because if that’s the case I’m not playing. Plenty of other repo services in the sea.

13 Likes

At least adding a “Remember this device” option.

2 Likes

Update:

Form now on I receive no request for the code from my usual browser, so I suppose something must have been fixed. I also suppose this hapens server-side as all site cookies and local data expires with the session.

If it stays that way and devices are properly remember it is solved for me.

1 Like

Yes, for me as well. Just noticed that at least for now it’s not requiring the extra device verification step.

Dear Microsoft/Github:

* I DO NOT want to add 2 factor as don’t want to give you my phone number, or go through extra hoops to log in.

* I DO NOT want my device profiled. I also don’t want an extra login step OF ANY KIND. I don’t want to wait for my slow email client to download your verification code every time I need to log in. Security is important but Github is after all rooted in open source. If a publically traded bank (for example) were to trust Github with their code, they would deserve to have whatever happens.

* Your rediculous method of using a cookie to determine and inform me that my device (which is the same device, same IP, etc.) is unrecognized is offensive to my intelligence. I also find it invasive to my privacy that you are actively trying to profile my device. Aside from my credentials, it’s none of your business!

* I DO NOT care if you think I you think I have a negative tone. Of course I’m negative about this. I use Github on a daily basis AND I HATE AND AM OFFENDED BY YOU FORCING ME INTO THIS EXTRA LOGIN STEP. Yes it’s that big of a deal, especially considering that you, as a so called OPEN SOUCE COMMUNITY are trying to normalize this nouveau invasive security policy that very few websites implement (AWS doesn’t even do it).

It’s as simple as this. I’ve been a Github user for 5 years (including professional/enterprise accounts), and if that “your device is unrecognized, enter the code” popup comes up again, I will abandon GH for Gitlab permanently. I did this with Digitalocean, until they got some sense after many people complained and got rid of this privacy invasive time waster.

12 Likes

@unleashit I do understand your frustration, and also do understand that you are negative about this topic. But I would like to ask you to not direct your anger at volunteers at the forum who 1) are just trying to help you out and 2) do not work on the GitHub platform nor make any decisions about GitHub’s policies.

To address your points (@unlea**bleep**):

  • I get that TFA is frustrating, and an extra step. It’s just a result of the world we live in - imagine you wouldn’t have to lock your home if you left, or could just leave your car wide open at the supermarket. Don’t blame GitHub for it. In fact, they’ve made it very easy to use TFA. You could for example use a YubiKey or similar device to make logging in more securely take no real extra effort. I also believe you do not have to give out your phone number if you don’t want to, and can just use one or more other options.
  • I never have inspected the code that runs on the page that well, but tracking is something that is done - welcome to the internet - and GitHub does address the topic in their Privacy Statement (https://help.github.com/en/articles/github-privacy-statement#our-use-of-cookies-and-tracking). If you don’t like being tracked, you can always set up your browser to block cookies or use an ad/tracker blocker of some kind to minimize tracking.  Having said that, the tracking is mostly used to limit the amount of times a code is required - thus improving your experience. As for your “slow” mail client that you have to wait on to download a code: you can use any of the other availible options as suggested. They are much faster.
  • Again, profiling is done everywhere on the internet and clearly stated in their Privacy Statement, which you should have read while creating an account. And again, you do have options on your site to limit all kinds of tracking.
  • I’ve already made my point about negativity at the top of this post.

Having said all of that, I do think that if you want full control you should just host a GitLab server yourself: honestly. It always is a trade-off between having control and the cost of maintaining your own environment.

The internet is a scary place and GitHub is just trying protect themselves as well as their (often irresponsible) users. They aren’t doing anything illegal or wrong, and offer plenty of alternative options for those who do not like the code per mail.

This will probably be my last post in this topic because this is just turning into a rant from people who think passwords are still more than enough in 2019 and are purely complaining about GitHub helping them towards better habits to protect the company as well as the users.

2 Likes

I totally agree.

This is a ridiculous misfeature which makes Github pretty unreliable and anything but serious.

Sorry to say it that hard, but that’s the actual effect.

I’m a long term user (must be way of a decade, I don’t actually recall anymore), and I’ve introduced it in a lot of companies (yes, the commercial subscriptions), so I’m one of the folks who made your business big.

But now you force me and my clients off.

By the way: I happen to be one of the guys who set up high security environments (eg. for large international banks) doing security audits/expertises, etc. And I can clearly tell that this misfeature isn’t good for security at all. It’s just a trojan horse for more surveillance - the exact oppositive of security.

If you actually were interested in security, you’d offer things like pubkey authentication, etc.

But asking the users to use broken-by-design and extremly insecure “smartphones” for authentication is just ridiculous and clearly sends the message that you don’t have the slightes ideas of neither security nor usability.

–mtx

10 Likes

Plus I have several fingerprint mitigating plugins on some of my browsers. So my print will never be the same and I’ll have to login to whatever theoretical email I have every time I use the service. (although it also failed on the one that doesn’t have that and was used most of the time, joy) Legit hackers will find a work around. If our passwords aren’t good enough, why even have them? Why not just require email/sms code to log in? BTW, I can still log in through the github app but can no longer post to anything on the site. On the same device.

4 Likes

I have no idea who you think you are, but as any reader can easily see my comments were directed at Microsoft and not anyone else. I never asked for your help. You have zero right to go around telling people with legitate concerns (who so far as I’ve seen have been quite tame/civil) that they’re negative. The desire to come on forums and police people apparently for entertainment does seem to be, on the other hand, negative. I suggest giving that some thought.

@metuxsaid it best. This forced device verification is nothing more than a trojan horse for surveillance. I agree with the other guy to. Sometimes I want to be anonymous. The more companies try to take away that anonymoty, the more a lot of us will use other alternatives and fight back.

I did in fact run a self hosted Gitlab instance for over a year and it was great. Fortunately, cloud Gitlab and its shared runners are currently meeting my personal needs with less maintance. And they don’t force draconion measures on its users. Unfortunately, Github is where people currently are. But stuff like this I gauruntee it won’t help the situation for them. We’re talking about developers here. We’re the ones who are aware of the _ _ _ _ companies are trying to pull.

unlea**bleep** is two words btw. Unleash and it.

6 Likes

Thanks everyone for your feedback and comments, I can completely understand your concerns around this feature. I appreciate when it comes to issues of security the importance is always high and it’s good to have a place to have these conversations, and share our viewpoints. That is why we are here!

Please rest assured I’ve passed on all of this feedback to our product team, I can’t promise when we will have an update,  but your feedback is definitely in the right hands.

This actually prevents us from performing non-interactive logins that run UI tests in CI. Is there a way to opt out such “test” accounts from this verification method? I tried checking the “Opt-out of session activity alerts.” under the Security settings, but that didn’t work. Is that supposed to disable the device verification?

3 Likes

The really last update…

Verification code request during login appears again on my usual browser (not in “privacy mode”). May be this github.com-device memory is very short?

Anyone who got over this and was successful to make them remember the code for longer than a day is welcome…