this post was submitted on 05 Jun 2024
46 points (78.0% liked)

Open Source

31206 readers
235 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 5 months ago (2 children)

I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don't get all my private stuff.

[–] [email protected] 8 points 5 months ago (1 children)

Works great till somebody does a sim swap on you.

[–] [email protected] 2 points 5 months ago (1 children)

How? It's physically at home.

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago) (1 children)

Swapping the sim associated with your phone number -- from your sim to their sim.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

But how? It's at my home and without physical access to it, its impossible to swap sim card. It's always at my home. Nobody can can transmit my phone number to their sim card without my knowledge and permission.

[–] [email protected] 4 points 5 months ago (1 children)

As in "Hi PhoneCompany, I'd like a mobile plan with you. Yes, I'd like to bring my old phone number over to the new account."

Or "Hi PhoneCompanySupport, I'm @thingsiplay and i lost my sim, plz send me a new one. BTW my new address is ..."

Ideally it shouldn't happen, but phone company security is pretty slack sometimes,

[–] [email protected] 3 points 5 months ago (1 children)

That's a big far fetched from reality, just to build an anti argument. I don't know where you live, but in Germany this cannot happen. You can't just order a sim to any address and use the phone number of you wish. You have to provide with 100% certainty that you are the owner of the sim card, as every new registered card/number has to provide your goverment id and your personal signature. Also taking old phone number to new account can only happen, if you provide proof you owned it in the first place.

If you know any case (here in Germany) someone could steal the phone number like you just described, please provide a link. This would be a huge security issue that should not be possible to happen. Nobody in the world can do that to my phone number and I think you just fabricate something that is not possible in Germany.

[–] [email protected] 3 points 5 months ago (1 children)

Ah, that's good then.

In Australia you really only need a name and date of birth and ID such as a passport or driving license number of the owner. No physical or even photographic proof. Some phone companies send the original sim a notification before moving it, but no response is required and moving the number often only takes 10~30mins.

Banks in Australia commonly use sms codes as 2fa.

A large percentage (20~30%?) of adult Australians have had their ID details leaked in recent years because there are no adequately enforced security requirements or data-retention limits. One of the largest breaches was the second largest mobile phone provider...

[–] [email protected] 1 points 5 months ago (1 children)

I see. Off course I only speak from my environment. Even if ID details would have leaked, it should be impossible for someone to get my phone number, even if the person knows my name and phone number and any ID details.

It's actually quite hard to get authenticated for a new phone number in my opinion. In example last year I setup this new number and at first try it did not work, without giving any reason that could give a hint. I ended up buying a different prepaid sim card and the process was the same: go to bank, and do all the shenanigans and dance.

BTW sorry for my previous inflammatory language; I get heated up pretty quickly. And you stayed cool.

[–] [email protected] 2 points 5 months ago

No worries. The situation I was describing is indeed absurd and defies reasonable expectations.

[–] [email protected] 2 points 5 months ago (1 children)

That's exactly what I'm planning to do, a phone that forwards all sms messages through ntfy (or other service like signal) to me.

[–] [email protected] 3 points 5 months ago (2 children)
[–] [email protected] 3 points 5 months ago

Thanks but I'll be running postmarketOS and make sms forwarder myself.

[–] [email protected] 3 points 5 months ago

Interesting software. Never heard about this. This is not really for me as I don't do SMS authentification or SMS in general or use that phone at all, other then authenticate myself from time to time. I wonder how this differs from software like KDEConnect in its practically (not in the technical implementation differences).