[python-committers] Re: Please make sure you're following good security practices with your GitHub account
On Wed, 16 Jun 2021 at 06:15, Julien Palard via python-committers wrote: > > I do use a Yubikey too. I'm not particularly bothered by the debate over 2FA (I have a 2FA app on my phone that I use and that's sufficient) but I'd like to offer a counter argument to everyone saying Yubikeys are a straightforward solution (not particularly picking on you, Julien, a few people have suggested this option). Maybe they are for a lot of people, but I have 3 PCs, a tablet and a phone that I routinely use for github access. At least one is critically short of USB ports from all of the other junk I have plugged in. I checked the Yubikey website and their recommendation (based on my answers to their questions about how I would use them) was to buy *three* keys, each of which was priced at about €40-50. That's a lot of money¹. And there was some comment about not working completely seamlessly with my iPad, which worried me, as well. And even with 3 keys, that's still going to mean swapping keys as I have more than 3 devices... So while I support the idea of having 2FA (I spotted a suspicious attempt to log into my account that failed, like Brett, so there's definitely a need) I don't think we should assume any particular solution will work universally - and finding a working solution might be hard for some people (for a long time, I didn't use a smartphone regularly, and none of the available 2FA solutions really worked for me). It sounds like a Yubikey might be a reasonable solution for Tim, but only he can say that for sure, and we should avoid letting our enthusiasm for our own preferred solution blind us to the fact that it might not suit everyone. (Sorry - some battle scars showing there, I've had rather too many people tell me to get a Yubikey when it really doesn't work for me. It soured me on 2FA for quite some time, until I found a solution that suited me...) Paul ¹ Yes, I know it's way less than I spent on all those PCs!!! ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/6GFHYEEO6G6OQQ26K6FW4FO4R34PEA2L/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
Something I'd like to add to the discussion: 2FA on Github only applies to the website, not the SSH access: https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication#authenticating-on-the-command-line-using-ssh So by enabling 2FA you only protect settings and actions which can only be done via the website. It's still possible for someone getting access to your SSH key to push PRs in your name, for example. Now 2FA in general is a good idea, but as someone who has lost access to accounts because of my mobile's TOTP app failing on me, please make sure that you do configure the available recovery methods or take snapshots of the TOTP registration QR codes and store them in a password manager (if that works with the website). Failing to do so can make 2FA a nightmare, since websites will make it really hard to regain access to the account when enabled. BTW: A lot this is smoke and mirrors or snake oil as they say... the most vulnerable account is your email account and this is still good old user id and password in many cases. Additionally, emails tend to travel via several hops you don't have control over, e.g. mailchimp et al., your provider. If you're lucky all those hops use TLS for in-transit messages, but I have yet to find a website which sends your access reset emails using GPG or S/MIME for end-to-end encryption. You know: weakest link in a chain, etc. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jun 16 2021) >>> Python Projects, Coaching and Support ...https://www.egenix.com/ >>> Python Product Development ...https://consulting.egenix.com/ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 https://www.egenix.com/company/contact/ https://www.malemburg.com/ ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/VD6QKSEH5GXTYVUEBUD62HFSYU5XIA7X/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
On 16/06/2021 07.14, Julien Palard via python-committers wrote: > I do use a Yubikey too. > > Le 6/14/21 à 11:27 PM, Tim Peters a écrit : >> If I buy one and plug it in, and that's the end of it, fine by me > > That's almost as simple as you want: > > - In Github settings 2FA tab you'll have to hit a "Register a new > security key" button, it make your key "blink" (blinking mean: please > touch the key to allow this action). > > - Then every time you login your key blinks and you have to touch it to > allow this action. > > And that's it. It uses an open standard called U2F [1] which works on a > variety of setups (it works with Firefox on Debian for example). It also > works on pypi.org \o/. > > If the PSF is willing to help financially, I'd recommend everyone to buy > (and register) two keys: a primary key and a backup key in case you > loose or break the first one. Most sites with MFA support have backup/recovery codes, too. I recommend that you generate backup codes, print them out and store the printout with your important documents. It's low tech and safe. Christian ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/DP327KUOLMGVHUDTGTXPK6VJFSEHV4ZP/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
Le 16/06/2021 à 10:33, Christian Heimes a écrit : On 16/06/2021 07.14, Julien Palard via python-committers wrote: I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action). - Then every time you login your key blinks and you have to touch it to allow this action. And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example). It also works on pypi.org \o/. If the PSF is willing to help financially, I'd recommend everyone to buy (and register) two keys: a primary key and a backup key in case you loose or break the first one. Most sites with MFA support have backup/recovery codes, too. I recommend that you generate backup codes, print them out and store the printout with your important documents. It's low tech and safe. It's as reliable as printing passwords on a piece of paper, isn't it? ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/XKTCGU4LYKV2T2VVUP3QGPDKFAZO4K34/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
Le 16/06/2021 à 07:14, Julien Palard via python-committers a écrit : I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action). - Then every time you login your key blinks and you have to touch it to allow this action. And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example). For the record, U2F has never worked for me with Firefox on Ubuntu. It works with the Firefox binaries provided by Mozilla, though Regards Antoine. ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/ZMTNMYBVDTVS7H7M5M4R72HS77VNDRZC/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
On 16/06/2021 10.50, Antoine Pitrou wrote: > > Le 16/06/2021 à 10:33, Christian Heimes a écrit : >> On 16/06/2021 07.14, Julien Palard via python-committers wrote: >>> I do use a Yubikey too. >>> >>> Le 6/14/21 à 11:27 PM, Tim Peters a écrit : If I buy one and plug it in, and that's the end of it, fine by me >>> >>> That's almost as simple as you want: >>> >>> - In Github settings 2FA tab you'll have to hit a "Register a new >>> security key" button, it make your key "blink" (blinking mean: please >>> touch the key to allow this action). >>> >>> - Then every time you login your key blinks and you have to touch it to >>> allow this action. >>> >>> And that's it. It uses an open standard called U2F [1] which works on a >>> variety of setups (it works with Firefox on Debian for example). It also >>> works on pypi.org \o/. >>> >>> If the PSF is willing to help financially, I'd recommend everyone to buy >>> (and register) two keys: a primary key and a backup key in case you >>> loose or break the first one. >> >> Most sites with MFA support have backup/recovery codes, too. I recommend >> that you generate backup codes, print them out and store the printout >> with your important documents. It's low tech and safe. > > It's as reliable as printing passwords on a piece of paper, isn't it? No, recovery codes on paper are much more secure than printing passwords on paper. Passwords give an attacker immediate access to your account. Recovery codes only contain one-time use second factors. They are useless without the first factor (password). You keep recovery codes at home, too. An attacker would need to get access to your first factor and then break into your apartment to locate and steal your second factor. Christian ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/JK67MJV44WV7V5UAJ2H4EL62CLG75OFY/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
Le 6/16/21 à 10:50 AM, Antoine Pitrou a écrit : > It's as reliable as printing passwords on a piece of paper, isn't it? The password is *something you know*, so we (all?) agree: printing it is a bad idea. The 2nd factor is *something you have*, so printing them is not an issue, and having them in your wallet is fine too (and can even save the day). A U2F key as a 2nd factor is *something you have* too, it's not more nor less physical than paper in your wallet. The idea is: it's harder to steal something to know *and* something you have. -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/GRRZOEALYA6PZ3KXY2L5DWBIJWNZCMSK/ Code of Conduct: https://www.python.org/psf/codeofconduct/
