opt out of user.device_verification_requested

The really last update…

Verification code request during login appears again on my usual browser (not in “privacy mode”). May be this github.com-device memory is very short?

Anyone who got over this and was successful to make them remember the code for longer than a day is welcome…

Hi,

and sorry for being late in the discussion, I just arrived home so I could log in again. My problem with the additional verification is, that I’m behind a firewall most of the time which permits connections to GitHub but not to my mail provider. Thus I can’t verify the device I’m working on. Same problem when travelling: I’m having a hard time to access my mails, which surely is my very own problem, but I guess there are others with similar problems with locked-down hotel WiFis. If I got it right, 2FA requires providing you with a mobile number, which I can’t do for anonymity reasons, so that’s no solution either. For me, the proposed opt-out would make contributing from anywhere anytime possible again.

Just my 2¢. :slight_smile:

Thanks,

Flössie

4 Likes

User device verification is the dumbest bullcrap. Really? Is account takeover that much of a problem? Where are the statistics? Whose accounts were taken over? Tell me. Never mind the fact that I’m logging in from the same machine for a long time and still I get this ridiculous overkill security measure, but you’re telling me with a strong enough password people are still getting their account broken into? If so, then what really is the purpose of the user device verification?

6 Likes

I can’t even edit my comment for errors. What a joke this forum is.

1 Like

First Ehmke, lastly this. 

A majority of my friends already moved when github was bought by M$. Most to gitlab (mostly private instances), some back to sourceforge, a few to launchpad.

1 Like

get rid of this.

What are you tracking people now?

Oh hey I have a new IP or an updated browser, time to waste more time.

What if I’m on the road?

Nobody uses passwords they can remember, what if I cant login to my email? What if I dont want to log in to my email on a customers device or an unsafe location?

What do I have a password for?

4 Likes

@emente wrote:

First Ehmke, lastly this. 

 

A majority of my friends already moved when github was bought by M$. Most to gitlab (mostly private instances), some back to sourceforge, a few to launchpad.

Wow!

didn’t even know that tidbit.

Fvck M$ I deleting my github

1 Like

I’d just like to add to this discussion that I’ve been experiencing similar problems for the last few months, having to enter an email verification code ever other time I log in from an identical laptop. (I’m logging on every day almost, but I do have two unix user accounts on it that I log in from, for work related reasons).

There must be some way to make github remember devices for longer periods of time.

There are legitimate concerns with downloading apps onto a device for this, especially an iphone or android, where the owner isn’t the superuser on the device, and especially considering that Microsoft is the author of the code.

It’s irritating to have to continually enter a code in every other time, and I doubt it’s necesarry.

1 Like

Same. Each time on login, i signin my mail box before github from now. 

And seriously? The security of and ABILITY TO ACCESS the github site is based upon another 3rdparty site somewhere on the internet. Some guy over there who up his site and called it mail service. It’s just a way to implictly declare limited warranty and escape any claims if your account gets hijacked for real. 

Tommorrow that guy dies, his mail service is gone, thus your account is gone either? Nice usability.

Random guys with sites are now called the security.

1 Like

Okay, this thread got a little hostile. But the point isn’t entirely wrong, and this is starting to bug me, too.

I have considered the security benefit of this so called ‘device verification’ and I believe there is zero for people with strong passwords. Let’s go over this, shall we.

Let’s assume an attacker is trying to break into my account. They have three avenues. The can a) attack the servers, b) my own system or c) the connection between those two.

If a) works without knowing the password, then you’re seriously in the deep end.

If b) works, then my email account is accessible, every password I enter loggable, and probably my phone cracked, too. That’s kinda the deep end for me. No point verifying a device when the device itself is the weak point.

If c) works, then virtually everything can be faked, so device verification is kinda pointless.

I do have a 16 character long cryptographically secure random password. By all means, try cracking it. If you can pull that off without peaking (and I _seriously_ hope you can’t peak) then I’ll reconsider my point.

Otherwise, please consider adding an opt-out for this feature. It does not add security. It adds extra work. I like using incognito mode permanently, so this device verification hits me each time.

Two factor authentication is not going to happen, either. Not to mention, that also adds extra work each time.

2 Likes

It is not GitHub’s responsibility to require my phone number which is personal and private information. It is one thing for the office to do this, but for GitHub to gathers peoples personal information is out of hand. The less information you have the less is at risk if a data breach happens.

It is not GitHub’s responsibilility to manage my device.

It is not GitsHub’s resposibility to question where I log in from.

It is not GitHub’s responsibility to tell me I should have my phone glued to my hip every time I log in.

Furthermore those bloody emails take forever to arive.

Users should have a choice as to what how they want to login. IF someone wants to give everyone and their brother their phone number and personal information, that is their choice. Too many sites are ramming unnecessary security down peoples throat to protect us from ourselves. That is not GitHub’s Job, and they are over steping their bounds! Honestly, I can do that myself and it should not be up to any company or organization to require my personal information unless it is mssion critical; like a bank i.e.

4 Likes

So is there a way to disable this miserable crap, without enabling the other miserable crap (TFA) and leak your phone number ?

I mean let them on by default if you consider that they improve so much the security, then put the way to disable them in the most hidden and obscure menus, so nobody can claim that they’ve disabled them “by mistake”, hell, even ask 20 times:

“Are you sure that you want to disable this extraordinary important security feature !?!?!?”

“How dare you to disable it ?”

“You have stolen my security…”

But after I’ve done it once, please let never hear about this crap ever again, if the bloody PayPal, Ebay and Amazon can work with user/pass, you can do it as well.

3 Likes

Absolutely frustrating & ridiculously annoying. This is still happening to me. I have forwarded my complaint about this over-the-top so called security feature to GitHub Feedback & they keep insisting that it’s something on my side & keep trying to force me to use 2 factor authentication which we just DON’T want to do. Our phone numbers are private & we’ll keep it that way.

The most annoying part of this is that 90% of the time I’m using the SAME DEVICES to login & it keeps giving me the NEW DEVICE DETECTED OMF THE WORLD IS OVER message. GitHub expects us to NOT use a VPN to change our IP’s, NOT to use new devices (even though 90% of the time it’s the same devices) just to force us to use 2 factor authentication, just utterly backwards & a waste of time. It’s easier to login to NSA Headquarters with less dramas than this.

As I’ve previously mentioned, I have 2 banks which have Online Banking. These 2 banks are part of the 4 MAJOR banks here in Australia. I change devices, use my VPN which changes my IP & we NEVER get these inconveniences & headaches GitHub provides.

How can GitHub justify having more “so-called-security” than online banking itself?  How can you possibly justify your login security measures against banks & think that’s normal??
This is nothing but a shifty ploy to annoy us to the point where we give in & sign up for 2 factor authentication at the expense of our privacy to collect our private phone numbers & god knows what other information. What a disgrace.

The people who are sticking up & backing up GitHub regarding this extremely annoying & time wasting process are people who couldn’t care les about privacy or are too uneducated about internet privacy especially in sensitive privacy times like this. Don’t get me started on how many people trusted Facebook with privacy until they were found guilty on providing & selling our private information to 3rd party companies even though sincerely promising it’s users otherwise. & please don’t give me that “GitHuB will never sell your information” bla talk because that’s EXACTLY what every company said before they were found guilty of doing exactly that.

One quick search on the web regarding GitHub & it’s annoying New Device Detected frustrating login process shows indeed I’m definitely not the only one.

“Rest assured we’ve provided your feedback to the deigners & development team” is their magic punch-line but many of us are still copping this but ofcourse the amount of people will be downplayed.

This will not be getting fixed permanently anytime soon so we’ll be trying alternatives like GitLab or BitBucket etc. Congratulations for not listening & sweeping us to other alternative websites.

2 Likes

This is indeed unfortunate. I know that my old email account will soon be gone.

I do not own a mobile nor do I use 2FA or would I. I am just a simple user, a hobbyist coder,

so now github has an indirect obsoletion onto my account, since I know I can not use it

in the future (since I will not be able to access the email-verification code).

The basic “argument” given by github does not make a lot of sense. What people here

asked for is to DISABLE these account-related emails and this antifeature. But this is

not possible. Github thus states that EVERYONE wants to have this, which is evidently

not correct. So there must be another explanation as to why github is doing so. I think

it is because they want to ultimately tie it to 2FA to identify individual people. Twitter

does so too - recently I could no longer access twitter but was forced to provide a

mobile. I don’t have a mobile, so I can now no longer access my old twitter account.

I understand that github does not care (otherwise this deliberate antifeature would not

have made it in), nor does twitter - but ultimately you guys will also lose people who

can be productive - both in regards to (open source) code, but also when contributing

to other projects, reporting bugs etc…

It is, by the way, quite trivial to work around anyway since I can just create a new

account, which is, ironically, easier than the verification-email upon resend - even

more so if you can no longer access your old email account. So this is really just

github making this inconvenient. Why can new users bypass this harassment

threshold, but old existing users who used it for many years, are constantly

harassed? Google gmail does this too, which shocked me - if I login from campus

site, thus another computer, I get blocked by it, can not disable it either and have

to send my phone number (which I don’t have, so it is a deadlock).

I guess in many ways the best is to never depend on companies that can lock

you out, but I did enjoy communicating with other people prior to that. It’s just

not worth the hassle to continue this.

1 Like

Github, Microsoft, will you answer all our arguments that we have brought here?

1 Like

No, they will not answer, obviously.

1 Like

Github just makes you login to both your email and your github account at this unsafe location, just to be sure that those hackers can unlock both your github and your email account for the next months.

You know … because it’s insecure to have hackers that can only access your github account… since github accounts don’t give access to your online banking… someone needs to help them earn a living…

Oh wait I mean: You know… because on a hacked github account a script kiddey could upload malicious code… because kiddies are incapable of opening their own github account to upload malicious code… So it’s secure now…

Hmmm, I’m sure there was a good reason … let us think about it again and we’ll get back to you when we remember… Don’t call us, we won’t call you either

AHHH I remembered…

So… if we cannot show we have put an approperiate amount of focus on security, we might be liable for damages… so you know … lawyer told us we have to do this. Not because it’s safer for you, but because it saves us from liability…

NSA paid Microsoft to buy GitHub and Skype…

Why would you think they (NSA) will turn off their most trusted IP to email & mobile number lookup system???
Of course M$ will deny it, they are legally bound to…

This kind of BS is so Microsoft.