(no title)

> something as important as source hosting?

But it's not important for a lot of people. Lots of people just create the occasional issue or some such. Almost no one is a maintainer of something important.

And overall it's just a hassle that adds zero security for me; I just have the tokens in the password manager next to the passwords (where else do I store it? I just have my laptop).

It's something that should be the user choice, based on how important the account is, personal factors, etc.

I would actually be far more frustrated by mandatory 2FA at login than if my GitHub account were compromised. I use it to star projects, and because you can't code search without being logged in; it's a bottom-tier account for me and 2FA means I'll probably just not bother. Why can't they gate sensitive features behind 2FA?

As an aside, I'm surprised I've never seen an async authentication system whereby PW gets you in, 2FA code is sent, and you can continue accessing the system in a limited way until you submit your 2FA code, instead of sitting on some intermediary page waiting a few minutes for the code to arrive.

2FA is a bigger problem to me than Microsoft. I'm not having electronics on me most of the time.

If i have to log in to Github from somewhere else, i call my landline and have SO read the 2FA code to me. But since this is cumbersome i try to get my stuff done without the Github login.

I do dislike it. I'd take back my only occasional contribution to a project not to be bothered by 2FA and I'm not submitting issues anymore to anything. Basically I'm using github in read only mode without logging in. When another customer of mine will use github I'll be back on it and I'll use 2FA, but at least they'll be paying me for the trouble. All my current customers are on bitbucket.

> Do people really dislike 2FA on something as important as source hosting?

"important" is a per-person individual decision.

A phrase that used to be very common is "mechanism, not policy".

The role of a vendor is supposed to be to enable mechanisms so that customers can implement whichever policy that best fits their needs.

The role of a customer is to choose and implement the policy that best works for them personally, using the mechanisms that the vendor provides.

It is fundamentally wrong for a vendor to impose policy, that's not their job. Nor do they have the information to correctly make that decision.

Some (few) people have important source code in their github account. I'd highly encourage those people to enable 2FA. Most people don't have anything important that anyone else uses, so adding the overhead of 2FA for them is beyond silly and purely obnoxious.

> Also if you really really hate two-factor authentication, e.g. due to psychological change resistance

Nearly all resistance to 2FA is because of fear of losing access to the 2FA device. I believe it's a well-earned resistance, because they've done a terrible job of explaining that there are alternatives in that case, such as special codes that you can write down and put in a safe.

If you're interested in contributing to projects that are hosted on GitHub, but aren't in a position to be making decisions about whether to migrate them, then yeah, you're forced to use GitHub.