Two-factor authentication for the GitHub organization

Waiiit… Just went and read the link that @Darkchaos posted above.

It does not say anything about basic CLI access. It is specifically talking about people hitting documented API endpoints, which are a different issue altogether. (The list is for a CLI tool that deliberately scrapes everything github has about a repository, including the entire tracking system, forks under other people’s accounts, wikis, etc.)

As a test, I just pushed a branch to my personal repository using bare git CLI over https. Worked perfectly, (modulo having to look up by GH password - I do more in-UI merge work than new code at the moment) and so far, no messages/emails from GH.

I do see the motive for 2FA, but considering what it would mean for jME (losing @mitm, at minimum), I don’t think we should enforce it. I also don’t consider jME to be a particularly high risk target - we’re an open-source game engine. I see 2FA as valuable for high-profile projects with notable financial interests and for corporate GitHub accounts (proprietary code), but it strikes me as a bit overkill to require it for contributing to jME. Definitely worth encouraging, but I think our downsides here heavily outweigh the upsides.

1 Like

Agreed.

The target is not the engine, but the people using it, and it can be just a bot pushing malware from compromised github accounts.

I was the one proposing to enforce 2fa, but if this is a problem for someone, we can just encourage it.

I don’t see any downside in using 2fa, you can totally use git commandline (not sure about password login, but you can use ssh key authentication. So it won’t even require password anymore…) and it is not annoying, you don’t need to validate everytime you use git.

2 Likes

I totally agree - the downside I was referring to was losing @mitm (and possibly others) from the team, not setting up authentication tokens for GitHub.

1 Like

Ooops!
Looks like I was the one not reading properly.
My Git UI was not using Auth Tokens already and thus causing that e-mail, I guess.
That is the actual E-Mail:

You recently used a password to access an endpoint through the GitHub API using git-credential-manager (Microsoft Windows NT 6.2.9200.0; Win32NT; x64) CLR/4.0.30319 git-tools/[1.16.1.](http://1.16.1.) We will deprecate basic authentication using password to this endpoint soon:

https://api.github.com/user/subscriptions

We recommend using a personal access token (PAT) with the appropriate scope to access this endpoint instead. Visit https://github.com/settings/tokens for more information.

Sorry for causing such a confusion.

Back to topic:
We can “enforce” it then by talking to the people, we don’t need automatic enforcement of github, that way we can make the majority of the people use 2FA then.

3 Likes

To set a good example, I enabled 2FA for my GitHub login today, using my mobile phone.

After setting up PATs, all my Git-oriented tools (including command-line Git, Gitk, Travis CI, AppVeyor, and the JME3 SDK) can access my repos. Access through a web browser also works, of course.

Plus it looks easy to undo 2FA if I encounter issues.

A piece of advice: make sure you have a working local printer when you set up 2FA, so you can make a hardcopy of your recovery codes.

2 Likes

I’ve set up 2FA as well.

2 Likes

Thank you. We now have 12 out of 33 team members using 2-factor authentication.