Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Mission Specialist Lvl 2
Message 11 of 31

get rid of this shyt. What are you tracking people now? O...

get rid of this.

What are you tracking people now?

Oh hey I have a new IP or an updated browser, time to waste more time.

What if I'm on the road?

Nobody uses passwords they can remember, what if I cant login to my email? What if I dont want to log in to my email on a customers device or an unsafe location?

 

What do I have a password for?

Ground Controller Lvl 2
Message 12 of 31

Re: locked out

At least adding a "Remember this device" option.

Copilot Lvl 3
Message 13 of 31

Re: opt out of user.device_verification_requested

Update:

 

Form now on I receive no request for the code from my usual browser, so I suppose something must have been fixed. I also suppose this hapens server-side as all site cookies and local data expires with the session.

If it stays that way and devices are properly remember it is solved for me.

Copilot Lvl 3
Message 14 of 31

Re: opt out of user.device_verification_requested

Yes, for me as well. Just noticed that at least for now it's not requiring the extra device verification step.

 

Dear Microsoft/Github:

 

* I DO NOT want to add 2 factor as don't want to give you my phone number, or go through extra hoops to log in.

* I DO NOT want my device profiled. I also don't want an extra login step OF ANY KIND. I don't want to wait for my slow email client to download your verification code every time I need to log in. Security is important but Github is after all rooted in open source. If a publically traded bank (for example) were to trust Github with their code, they would deserve to have whatever happens.

* Your rediculous method of using a cookie to determine and inform me that my device (which is the same device, same IP, etc.) is unrecognized is offensive to my intelligence. I also find it invasive to my privacy that you are actively trying to profile my device. Aside from my credentials, it's none of your business!

* I DO NOT care if you think I you think I have a negative tone. Of course I'm negative about this. I use Github on a daily basis AND I HATE AND AM OFFENDED BY YOU FORCING ME INTO THIS EXTRA LOGIN STEP. Yes it's that big of a deal, especially considering that you, as a so called OPEN SOUCE COMMUNITY are trying to normalize this nouveau invasive security policy that very few websites implement (AWS doesn't even do it).

 

It's as simple as this. I've been a Github user for 5 years (including professional/enterprise accounts), and if that "your device is unrecognized, enter the code" popup comes up again, I will abandon GH for Gitlab permanently. I did this with Digitalocean, until they got some sense after many people complained and got rid of this privacy invasive time waster.

Commander Lvl 3
Message 15 of 31

Re: opt out of user.device_verification_requested

@unleashit I do understand your frustration, and also do understand that you are negative about this topic. But I would like to ask you to not direct your anger at volunteers at the forum who 1) are just trying to help you out and 2) do not work on the GitHub platform nor make any decisions about GitHub's policies.

 

To address your points (@unlea**bleep**):

  • I get that TFA is frustrating, and an extra step. It's just a result of the world we live in - imagine you wouldn't have to lock your home if you left, or could just leave your car wide open at the supermarket. Don't blame GitHub for it. In fact, they've made it very easy to use TFA. You could for example use a YubiKey or similar device to make logging in more securely take no real extra effort. I also believe you do not have to give out your phone number if you don't want to, and can just use one or more other options.
  • I never have inspected the code that runs on the page that well, but tracking is something that is done - welcome to the internet - and GitHub does address the topic in their Privacy Statement (https://help.github.com/en/articles/github-privacy-statement#our-use-of-cookies-and-tracking). If you don't like being tracked, you can always set up your browser to block cookies or use an ad/tracker blocker of some kind to minimize tracking.  Having said that, the tracking is mostly used to limit the amount of times a code is required - thus improving your experience. As for your "slow" mail client that you have to wait on to download a code: you can use any of the other availible options as suggested. They are much faster.
  • Again, profiling is done everywhere on the internet and clearly stated in their Privacy Statement, which you should have read while creating an account. And again, you do have options on your site to limit all kinds of tracking.
  • I've already made my point about negativity at the top of this post.

 

Having said all of that, I do think that if you want full control you should just host a GitLab server yourself: honestly. It always is a trade-off between having control and the cost of maintaining your own environment.

 

The internet is a scary place and GitHub is just trying protect themselves as well as their (often irresponsible) users. They aren't doing anything illegal or wrong, and offer plenty of alternative options for those who do not like the code per mail.

 

This will probably be my last post in this topic because this is just turning into a rant from people who think passwords are still more than enough in 2019 and are purely complaining about GitHub helping them towards better habits to protect the company as well as the users.


- Mark
Copilot Lvl 3
Message 16 of 31

Re: opt out of user.device_verification_requested

I have no idea who you think you are, but as any reader can easily see my comments were directed at Microsoft and not anyone else. I never asked for your help. You have zero right to go around telling people with legitate concerns (who so far as I've seen have been quite tame/civil) that they're negative. The desire to come on forums and police people apparently for entertainment does seem to be, on the other hand, negative. I suggest giving that some thought.

 

@metuxsaid it best. This forced device verification is nothing more than a trojan horse for surveillance. I agree with the other guy to. Sometimes I want to be anonymous. The more companies try to take away that anonymoty, the more a lot of us will use other alternatives and fight back.

 

I did in fact run a self hosted Gitlab instance for over a year and it was great. Fortunately, cloud Gitlab and its shared runners are currently meeting my personal needs with less maintance. And they don't force draconion measures on its users. Unfortunately, Github is where people currently are. But stuff like this I gauruntee it won't help the situation for them. We're talking about developers here. We're the ones who are aware of the _ _ _ _ companies are trying to pull.

 

unlea**bleep** is two words btw. Unleash and it.

Ground Controller Lvl 2
Message 17 of 31

Re: opt out of user.device_verification_requested

I totally agree.

 

This is a ridiculous misfeature which makes Github pretty unreliable and anything but serious.

Sorry to say it that hard, but that's the actual effect.

 

I'm a long term user (must be way of a decade, I don't actually recall anymore), and I've introduced it in a lot of companies (yes, the commercial subscriptions), so I'm one of the folks who made your business big.

But now you force me and my clients off.

 

By the way: I happen to be one of the guys who set up high security environments (eg. for large international banks) doing security audits/expertises, etc. And I can clearly tell that this misfeature isn't good for security at all. It's just a trojan horse for more surveillance - the exact oppositive of security.

 

If you actually were interested in security, you'd offer things like pubkey authentication, etc.

 

But asking the users to use broken-by-design and extremly insecure "smartphones" for authentication is just ridiculous and clearly sends the message that you don't have the slightes ideas of neither security nor usability.

 

--mtx

Copilot Lvl 3
Message 18 of 31

Re: opt out of user.device_verification_requested

Plus I have several fingerprint mitigating plugins on some of my browsers. So my print will never be the same and I'll have to login to whatever theoretical email I have every time I use the service. (although it also failed on the one that doesn't have that and was used most of the time, joy) Legit hackers will find a work around. If our passwords aren't good enough, why even have them? Why not just require email/sms code to log in? BTW, I can still log in through the github app but can no longer post to anything on the site. On the same device.
Community Manager
Message 19 of 31

Re: opt out of user.device_verification_requested

Thanks everyone for your feedback and comments, I can completely understand your concerns around this feature. I appreciate when it comes to issues of security the importance is always high and it's good to have a place to have these conversations, and share our viewpoints. That is why we are here!

 

Please rest assured I've passed on all of this feedback to our product team, I can't promise when we will have an update,  but your feedback is definitely in the right hands.


Best,
AndreaG

Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!

Ground Controller Lvl 2
Message 20 of 31

Re: opt out of user.device_verification_requested

This actually prevents us from performing non-interactive logins that run UI tests in CI. Is there a way to opt out such "test" accounts from this verification method? I tried checking the "Opt-out of session activity alerts." under the Security settings, but that didn't work. Is that supposed to disable the device verification?