Hello, On Sun 26 Apr 2020 at 10:53PM +02, Vincent Bernat wrote: > ❦ 26 avril 2020 20:29 +00, Jeremy Stanley: > >> You're already seeing quite a few folks responding that being >> required to use an additional application or device each time they >> authenticate would be an inconvenience to them. This is a signal. I >> personally wouldn't enjoy being prompted to activate my TOTP client >> software every time I invoke `git push` so I can understand the >> resistance to your proposal. > > This is not how this is implemented. I am using GitHub and GitLab with > 2FA enabled and I am rarely asked to enter any token. Once you get > authenticated on a device, it remains for a long time. The model threat > is to prevent someone stealing your password through > phishing/spying/guessing to login into your account. SSH keys being > asymmetrical, they are not covered by this. It is worth knowing that with GitLab 2FA you can request reset codes so long as you have control over an SSH key registered to the account: <https://support.gitlab.com/hc/en-us/articles/360010968579-Generate-new-recovery-codes-using-SSH> This limits the categories of attack that GitLab's 2FA can protect you against -- e.g. laptop compromise. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature