Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Ground Controller Lvl 1
Message 21 of 31

Re: opt out of user.device_verification_requested

Hi,

 

and sorry for being late in the discussion, I just arrived home so I could log in again. My problem with the additional verification is, that I'm behind a firewall most of the time which permits connections to GitHub but not to my mail provider. Thus I can't verify the device I'm working on. Same problem when travelling: I'm having a hard time to access my mails, which surely is my very own problem, but I guess there are others with similar problems with locked-down hotel WiFis. If I got it right, 2FA requires providing you with a mobile number, which I can't do for anonymity reasons, so that's no solution either. For me, the proposed opt-out would make contributing from anywhere anytime possible again.

 

Just my 2¢. :)

 

Thanks,

Flössie

Copilot Lvl 3
Message 22 of 31

Re: opt out of user.device_verification_requested

The really last update....

Verification code request during login appears again on my usual browser (not in "privacy mode"). May be this github.com-device memory is very short?

Anyone who got over this and was successful to make them remember the code for longer than a day is welcome....

Ground Controller Lvl 2
Message 23 of 31

Re: opt out of user.device_verification_requested

User device verification is the dumbest bullcrap. Really? Is account takeover that much of a problem? Where are the statistics? Whose accounts were taken over? Tell me. Never mind the fact that I'm logging in from the same machine for a long time and still I get this ridiculous overkill security measure, but you're telling me with a strong enough password people are still getting their account broken into? If so, then what really is the purpose of the user device verification?
Ground Controller Lvl 2
Message 24 of 31

Re: opt out of user.device_verification_requested

I can't even edit my comment for errors. What a joke this forum is.
Copilot Lvl 2
Message 25 of 31

Re: opt out of user.device_verification_requested

First Ehmke, lastly this. 

 

A majority of my friends already moved when github was bought by M$. Most to gitlab (mostly private instances), some back to sourceforge, a few to launchpad.

Mission Specialist Lvl 2
Message 26 of 31

Re: opt out of user.device_verification_requested


@emente wrote:

First Ehmke, lastly this. 

 

A majority of my friends already moved when github was bought by M$. Most to gitlab (mostly private instances), some back to sourceforge, a few to launchpad.


Wow!

didn't even know that tidbit.

Fvck M$ I deleting my github

Ground Controller Lvl 1
Message 27 of 31

Re: opt out of user.device_verification_requested

I'd just like to add to this discussion that I've been experiencing similar problems for the last few months, having to enter an email verification code ever other time I log in from an identical laptop. (I'm logging on every day almost, but I do have two unix user accounts on it that I log in from, for work related reasons).

 

There must be some way to make github remember devices for longer periods of time.

There are legitimate concerns with downloading apps onto a device for this, especially an iphone or android, where the owner isn't the superuser on the device, and especially considering that Microsoft is the author of the code.

 

It's irritating to have to continually enter a code in every other time, and I doubt it's necesarry.

Copilot Lvl 2
Message 28 of 31

Re: opt out of user.device_verification_requested

Same. Each time on login, i signin my mail box before github from now. 

And seriously? The security of and ABILITY TO ACCESS the github site is based upon another 3rdparty site somewhere on the internet. Some guy over there who up his site and called it mail service. It's just a way to implictly declare limited warranty and escape any claims if your account gets hijacked for real. 

 

Tommorrow that guy dies, his mail service is gone, thus your account is gone either? Nice usability.

Random guys with sites are now called the security.

Ground Controller Lvl 1
Message 29 of 31

Re: opt out of user.device_verification_requested

Okay, this thread got a little hostile. But the point isn't entirely wrong, and this is starting to bug me, too.

I have considered the security benefit of this so called 'device verification' and I believe there is zero for people with strong passwords. Let's go over this, shall we.

 

Let's assume an attacker is trying to break into my account. They have three avenues. The can a) attack the servers, b) my own system or c) the connection between those two.

If a) works without knowing the password, then you're seriously in the deep end.

If b) works, then my email account is accessible, every password I enter loggable, and probably my phone cracked, too. That's kinda the deep end for me. No point verifying a device when the device itself is the weak point.

If c) works, then virtually everything can be faked, so device verification is kinda pointless.

 

I do have a 16 character long cryptographically secure random password. By all means, try cracking it. If you can pull that off without peaking (and I _seriously_ hope you can't peak) then I'll reconsider my point.

 

Otherwise, please consider adding an opt-out for this feature. It does not add security. It adds extra work. I like using incognito mode permanently, so this device verification hits me each time.

Two factor authentication is not going to happen, either. Not to mention, that also adds extra work each time.

Copilot Lvl 2
Message 30 of 31

Re: opt out of user.device_verification_requested

It is not GitHub's responsibility to require my phone number which is personal and private information. It is one thing for the office to do this, but for GitHub to gathers peoples personal information is out of hand. The less information you have the less is at risk if a data breach happens.

 

It is not GitHub's responsibilility to manage my device.

It is not GitsHub's resposibility to question where I log in from.

It is not GitHub's responsibility to tell me I should have my phone glued to my hip every time I log in.

 

Furthermore those bloody emails take forever to arive.

 

Users should have a choice as to what how they want to login. IF someone wants to give everyone and their brother their phone number and personal information, that is their choice. Too many sites are ramming unnecessary security down peoples throat to protect us from ourselves. That is not GitHub's Job, and they are over steping their bounds! Honestly, I can do that myself and it should not be up to any company or organization to require my personal information unless it is mssion critical; like a bank i.e.