get rid of this.
What are you tracking people now?
Oh hey I have a new IP or an updated browser, time to waste more time.
What if I'm on the road?
Nobody uses passwords they can remember, what if I cant login to my email? What if I dont want to log in to my email on a customers device or an unsafe location?
What do I have a password for?
Form now on I receive no request for the code from my usual browser, so I suppose something must have been fixed. I also suppose this hapens server-side as all site cookies and local data expires with the session.
If it stays that way and devices are properly remember it is solved for me.
Yes, for me as well. Just noticed that at least for now it's not requiring the extra device verification step.
* I DO NOT want to add 2 factor as don't want to give you my phone number, or go through extra hoops to log in.
* I DO NOT want my device profiled. I also don't want an extra login step OF ANY KIND. I don't want to wait for my slow email client to download your verification code every time I need to log in. Security is important but Github is after all rooted in open source. If a publically traded bank (for example) were to trust Github with their code, they would deserve to have whatever happens.
* Your rediculous method of using a cookie to determine and inform me that my device (which is the same device, same IP, etc.) is unrecognized is offensive to my intelligence. I also find it invasive to my privacy that you are actively trying to profile my device. Aside from my credentials, it's none of your business!
* I DO NOT care if you think I you think I have a negative tone. Of course I'm negative about this. I use Github on a daily basis AND I HATE AND AM OFFENDED BY YOU FORCING ME INTO THIS EXTRA LOGIN STEP. Yes it's that big of a deal, especially considering that you, as a so called OPEN SOUCE COMMUNITY are trying to normalize this nouveau invasive security policy that very few websites implement (AWS doesn't even do it).
It's as simple as this. I've been a Github user for 5 years (including professional/enterprise accounts), and if that "your device is unrecognized, enter the code" popup comes up again, I will abandon GH for Gitlab permanently. I did this with Digitalocean, until they got some sense after many people complained and got rid of this privacy invasive time waster.
@unleashit I do understand your frustration, and also do understand that you are negative about this topic. But I would like to ask you to not direct your anger at volunteers at the forum who 1) are just trying to help you out and 2) do not work on the GitHub platform nor make any decisions about GitHub's policies.
To address your points (@unlea**bleep**):
Having said all of that, I do think that if you want full control you should just host a GitLab server yourself: honestly. It always is a trade-off between having control and the cost of maintaining your own environment.
The internet is a scary place and GitHub is just trying protect themselves as well as their (often irresponsible) users. They aren't doing anything illegal or wrong, and offer plenty of alternative options for those who do not like the code per mail.
This will probably be my last post in this topic because this is just turning into a rant from people who think passwords are still more than enough in 2019 and are purely complaining about GitHub helping them towards better habits to protect the company as well as the users.
I have no idea who you think you are, but as any reader can easily see my comments were directed at Microsoft and not anyone else. I never asked for your help. You have zero right to go around telling people with legitate concerns (who so far as I've seen have been quite tame/civil) that they're negative. The desire to come on forums and police people apparently for entertainment does seem to be, on the other hand, negative. I suggest giving that some thought.
@metuxsaid it best. This forced device verification is nothing more than a trojan horse for surveillance. I agree with the other guy to. Sometimes I want to be anonymous. The more companies try to take away that anonymoty, the more a lot of us will use other alternatives and fight back.
I did in fact run a self hosted Gitlab instance for over a year and it was great. Fortunately, cloud Gitlab and its shared runners are currently meeting my personal needs with less maintance. And they don't force draconion measures on its users. Unfortunately, Github is where people currently are. But stuff like this I gauruntee it won't help the situation for them. We're talking about developers here. We're the ones who are aware of the _ _ _ _ companies are trying to pull.
unlea**bleep** is two words btw. Unleash and it.
I totally agree.
This is a ridiculous misfeature which makes Github pretty unreliable and anything but serious.
Sorry to say it that hard, but that's the actual effect.
I'm a long term user (must be way of a decade, I don't actually recall anymore), and I've introduced it in a lot of companies (yes, the commercial subscriptions), so I'm one of the folks who made your business big.
But now you force me and my clients off.
By the way: I happen to be one of the guys who set up high security environments (eg. for large international banks) doing security audits/expertises, etc. And I can clearly tell that this misfeature isn't good for security at all. It's just a trojan horse for more surveillance - the exact oppositive of security.
If you actually were interested in security, you'd offer things like pubkey authentication, etc.
But asking the users to use broken-by-design and extremly insecure "smartphones" for authentication is just ridiculous and clearly sends the message that you don't have the slightes ideas of neither security nor usability.
Thanks everyone for your feedback and comments, I can completely understand your concerns around this feature. I appreciate when it comes to issues of security the importance is always high and it's good to have a place to have these conversations, and share our viewpoints. That is why we are here!
Please rest assured I've passed on all of this feedback to our product team, I can't promise when we will have an update, but your feedback is definitely in the right hands.
Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!
This actually prevents us from performing non-interactive logins that run UI tests in CI. Is there a way to opt out such "test" accounts from this verification method? I tried checking the "Opt-out of session activity alerts." under the Security settings, but that didn't work. Is that supposed to disable the device verification?