top | item 35278671

Tell HN: GitHub forcing 2FA on users has no basis in their ToS

9 points| devguy2 | 2 years ago

Recently I received an email from GitHub telling me i need to enable 2FA because i'm a somewhat active (hobbyist!) developer...

But the ToS very clearly states:

"You are responsible for keeping your Account secure while you use our Service. We offer tools such as two-factor authentication to help you maintain your Account's security, but the content of your Account and its security are up to you."

I think it is cute when corporations don't even bother to conform to their ToS themselves. This one is even almost readable.

Anyway, i just thought you'd like to know. Have a nice day!

14 comments

tkw01536|2 years ago

IANAL but I don’t think that GitHub is violating their ToS here.

L4 says ”GitHub has the right to suspend […] your access […] at any time […]. GitHub reserves the right to refuse service to anyone for any reason at any time.”

devguy2|2 years ago

Sue, "no basis" is perhaps a bit spicy.... but it's still an active contradiction that they could have easily changed. (And in doing so should have made them at least think twice before pushing this).

rozenmd|2 years ago

IANAL, but ToS's provide companies an option, not an obligation, to do something.

It's not a law.

MuffinFlavored|2 years ago

Not super related but it's funny that Twitter basically shed text 2FA unless you pay for it with their monthly blue checkmark thing, demoting anybody who had text 2FA to authenticator style app to save on cost, whereas Microsoft/GitHub are forcing everybody to enroll, which would inverse what Twitter did and send their 2FA SMS costs through the roof.

JLCarveth|2 years ago

Authenticator-based 2FA is far more secure than SMS-based 2FA

OtmaneBenazzou|2 years ago

Are you going to cry because a company wants your data to be a bit more safe?

ipaddr|2 years ago

Then you won't objective to 3fa or 20fa. More steps is safer right?

If your account is unimportant to you github shouldn't force you to add layers of security when they literally throw you under the bus in the TOS telling you it is your responsibility.. good let me decide my level of risk.

jamesboehmer|2 years ago

Are you against 2fa, or against being compelled to use it? Why?

devguy2|2 years ago

The latter. And especially the reasoning they provide W.R.T. "securing the software supply chain". I have a strong, managed, password which is perfectly reasonable for a few hobby hacks...

See also: "I am not a supplier" https://news.ycombinator.com/item?id=34201368

Melingo|2 years ago

They write the tos.

It doesn't matter if they updated them in time for someone actually reading a tos.

ftfdfyjbdsff|2 years ago

github, by being under Microsoft, is now an advertisement support service.

the main reason they want your phone number is to tie you to a more expensive profile for ad impressions.