On 2017-12-12 02:17, Gregory P. Smith wrote: > On Mon, Dec 11, 2017 at 12:26 PM R. David Murray <rdmur...@bitdance.com > <mailto:rdmur...@bitdance.com>> wrote: > > On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft <don...@stufft.io > <mailto:don...@stufft.io>> wrote: > > > > > On Dec 11, 2017, at 2:52 PM, R. David Murray > <rdmur...@bitdance.com <mailto:rdmur...@bitdance.com>> wrote: > > > > > > If 2fa is required for contribution to CPython, I'll stop > > > contributing. > > > > I’m curious why? I have it on and 99% of the time you don’t even > > notice because you’re already logged into GitHub and pushes/pulls > > don’t require it. > > I had to use 2FA when working for a corporate client, and it was > very annoying. The fact that pushes and pulls don't require it > helps, but also makes it considerably less important. > > > Please Don't let /that/ experience color your 2FA opinion. Not everyone > $random_corp does a good job of it. > > It does not have to be annoying. Github's and Google's are examples of > 2FA done right that is not annoying (using U2F). > > But I suppose that fundamentally I do not want my security tied to a > possession. > > > *2FA doesn't need to be tied to a single possession.* You are not > limited to a single second factor thing. You can have plentiful > different two factor methods set up at once. This is normal. ex: A > printed recovery code at the very least as a second second factor. Have > multiple U2F USB tokens tied to your account? Yes. I do that all the > time on all accounts. > > Heck, a photo/scan/screenshot of backup one time codes stored as a > public image somewhere with no password authentication for the world to > see on an http server still counts. As laughable as that is, it is > *still* much better than not having 2FA enabled at all. Because it > isn't going to be an automated attack at that point. > > /Any/ 2FA is much better than no 2FA. > > When (not if) your login/password is compromised, it is rarely your own > fault. But your account and all of your data can be gone in a heartbeat > as soon as anyone or anything malicious chooses to make it so on > whatever selection of accounts they choose to victimize. Often > irrecoverably. With 2FA enabled, that is much less likely to happen to you. > > Try it. You will remain happy. > > I recommend the https://www.yubico.com/product/yubikey-neo/ as a primary > U2F token because it even works with Chrome on Android phones via NFC > when you need to re-auth there. That is a more expensive one, there are > $10-20 alternative vanilla U2F USB tokens. I have some of those as > backups. The "nano" style keys that you just leave in the USB port of > all computers you use regularly are also a nice solution. no need to > find and pull out the key, it is just present in your computers (it > requires a physical touch to prevent remote access). > > Which 2FA methods to choose is an individual choice, but in my > experience since the U2F keys came out, I'm less inclined to use any > service that doesn't support them as all other solutions are a worse > user experience for me. > > IMNSHO, the PSF /should/ be able to buy one or two U2F tokens for any > committer who needs them. This should not depend on a policy of 2FA > use, it would just be a way to promote good security practices among > committers to make us all better off.
+1 If you don't the trust closed-source Yubico hardware, there is plenty of other hardware out. https://www.nitrokey.com/ is good German engineering with fully open-sourced hardware and software. Adam has compiled a nice list of U2F and 2FA tokens, too. https://www.imperialviolet.org/2017/10/08/securitykeytest.html Christian _______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/