top | item 45452662

(no title)

abxyz | 5 months ago

I think the disconnect between you and GitHub support is that you're positioning this as a problem of proving your identity whereas for GitHub support it is a policy. The GitHub policy is: you lose your 2FA, you lose your account. Verifying your identity is not relevant. GitHub provides extensive tooling to protect your account (multiple methods of 2FA, recovery codes etc.) and so from their perspective, while this is deeply unfortunate, the policy is very clear and allowing you access to the account would be a major security issue (not for your account specifically, but for GitHub as an organization).

edit: https://docs.github.com/en/site-policy/other-site-policies/g...

discuss

ryandrake|5 months ago

These (for good reason) draconian policies are the reason I am still hesitant to embrace 2FA. I understand the significant improvement in your security posture, and I would not want someone not-me to be able to reset my credentials. But the failure mode is just too catastrophic. You lose one thing and you are shit out of luck.

We need something better. I don't know what it would be.

cxr|5 months ago

> We need something better. I don't know what it would be.

Choosing a long, very secure password for your account works really, really well. GitHub hates this, however, and nudges toward less secure practices that are more likely to result in the sorts of compromises described in this thread.

alwa|5 months ago

I for one would appreciate the option to put an ID on file ahead of time, at least for important stuff like this. I like digital-only accounts for play, but for work stuff with real-world consequence, I’d like to link it to a real-world identity system…

Not unlike the signature cards banks used long ago, I guess.

Sure, maybe somebody motivated could defraud the government into issuing them a replacement ID in my name. But that’s big boy crime, not a casual “bribe a retail employee to SIM swap” kind of undertaking.

Sure, there are issues of access to government ID systems, and I know anything touching government names / “show me your papers” raises hackers’ hackles—I’m not saying require it, just that I’d choose it if it were a MFA option of last resort.

saint_yossarian|5 months ago

You can use a TOTP authenticator with backup support (I use Aegis on Android, and less critical ones in Bitwarden), and backup your recovery codes.

michaelmior|5 months ago

Part of the problem here is that there is no prior association of an identity with an account. So proving who you are is somewhat irrelevant since even if the account has your name, email, and photo, that's no guarantee that the account was created by you. If identity verification were required ahead of time, then perhaps verifying identity after loss of access could be reasonable recovery method. But of course there are many reasons why requiring such verification is problematic.

TheGuineaGhost|4 months ago

They are so in love with their policies, how about a policy for something better than 2FA for this possibility? Like pay $10,000, go to their headquarters in person with a lawyer and all your documents and have a "hearing" of some kind. This is even better than 2FA, call it 20FA if it makes them feel good about it! Someone in this unique situation needs a unique way to solve the issue. If I lost all of my documents in a fire, I could still get my life back together and be able to fly on airplanes again. So, there is a way to do this, even if it is extreme, if people would care and stop hiding behind paperwork and bureaucracy. Yeah, maybe they would lose some of their time they spend talking or surfing the web at their desk, but it would greatly help someone with a legitimate need that can be proven.

amatecha|5 months ago

Someone high enough in the food chain at GitHub can override that policy at their whim. I have personally had my day saved by that very "loophole" in another "lost access to an online service" situation in the past.

MrGilbert|5 months ago

I'd assume that there is simply no "ok, this individual got released from prison and can proof everything" policy in place, and that might be the real issue here. Big organizations begin to tumble once you request something where there are no policies in place.