On Thursday, August 11, 2016 07:33:45 qznc via Digitalmars-d wrote:
> On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis
>
> wrote:
> > I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out.
>
> This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well.
>
> However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.

I would expect the lockout issue to come from issues with your phone. I almost got locked out by my domain registrar previously, because I changed phone providers, and stupidly, that meant that I couldn't get the SMS messages anymore - even though my phone number hadn't changed. Fortunately, I was finally able to get it fixed with them, but it took a while. But I'd be even more worried about depending on an app on your phone (like is sometimes the case with two-factor auth), since that won't necessarily then work with another phone with the same number, in which case, changing phones could lose you access - and while you might be able to plan for that by doing something like turning off two-factor temporarily when switching phones, if your phone died, you won't have been able to do that. As long as nothing goes wrong with your second factor, you'll probably be fine and won't get locked out of anything, but as soon as something _does_ go wrong with your second factor, you risk being locked out with no recourse.

And if the company that you're dealing with for two-factor actually lets you get around the two-factor when you have a problem, then that opens the door for someone else to talk them into letting _them_ in (which is of course what the second factor is supposed to prevent). So, you either end up with a situation where you're fine as long as your second factor doesn't have problems but are screwed when it does, or you're still at risk of someone else getting into your account in spite of having the second factor.

So, while in principle, two-factor auth is a great idea, there's definite risk involved with it that makes me very leery of using it. And it all it takes to really screw you over is getting locked out once.

- Jonathan M Davis

On 8/11/2016 12:33 AM, qznc wrote:
> On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:
>> I just enabled it because of this thread, but in general, I'm paranoid about
>> two-factor auth and don't use it for much. My domain registrar (and thus DNS)
>> is one of the few places that I have it enabled. I'm just too worried about
>> getting locked out. The very thing that makes it more secure significantly
>> increases the risk of you having a problem that locks you out.
>
> This thread pushed me to enable it for Google and Github. The fear of lock out
> plagues me as well.
>
> However, I asked a few friends and so far I have found nobody who was actually
> locked out. The fact that they all give you a few backup codes for login helps.

Yeah, I worry about being locked out as well. There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.

They do provide an option for a second phone (which I enabled) and sent a set of recovery codes. This you can put into your safety deposit box as a last resort.

I keep a rolling set of backups, with one set in the safety deposit box.

2FA is going to become increasingly common, and I expect we'll all have to get used to it.

On Thursday, 11 August 2016 at 07:54:48 UTC, Jonathan M Davis wrote:
> But I'd be even more worried about depending on an app on your phone (like is sometimes the case with two-factor auth), since that won't necessarily then work with another phone with the same number, in which case, changing phones could lose you access

I use Authy. They provide desktop apps and sync in addition. So if my phone fails, I can use my laptop and vice versa.

https://www.authy.com/

On Thursday, 11 August 2016 at 07:59:11 UTC, Walter Bright wrote:

>
> Yeah, I worry about being locked out as well. There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.
>
> They do provide an option for a second phone (which I enabled) and sent a set of recovery codes. This you can put into your safety deposit box as a last resort.
>
> I keep a rolling set of backups, with one set in the safety deposit box.
>
> 2FA is going to become increasingly common, and I expect we'll all have to get used to it.

You could also set up an "unsuspicious" dummy repo on Github which is an identical twin of the official D repo, under a different user and repo name ("Balter Wright", Digital Neptune :)

On Thursday, 11 August 2016 at 07:59:11 UTC, Walter Bright wrote:
> There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.

only PRs. would be a refreshing change and autoclearing of PR queue. besides, authors will just resubmit 'em.

there is no reason to mess with 2fa, i believe. the only thing someone can do is pushing some malicious commit, which will be found almost immediately by compromised dev (next git pull will raise an alarm with error).

yet in exchange for wery weak protection, one have to give his phone number to the 3rd party, and that 3rd party is known by security faults and overall low level of tech and security. if i'll be asked to give my phone number to such organisation (to *any* organisation, but well, this case even worther), i will deny the requiest immediately.

On 8/11/16 3:59 AM, Walter Bright wrote:
> On 8/11/2016 12:33 AM, qznc wrote:
>> On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:
>>> I just enabled it because of this thread, but in general, I'm
>>> paranoid about
>>> two-factor auth and don't use it for much. My domain registrar (and
>>> thus DNS)
>>> is one of the few places that I have it enabled. I'm just too worried
>>> about
>>> getting locked out. The very thing that makes it more secure
>>> significantly
>>> increases the risk of you having a problem that locks you out.
>>
>> This thread pushed me to enable it for Google and Github. The fear of
>> lock out
>> plagues me as well.
>>
>> However, I asked a few friends and so far I have found nobody who was
>> actually
>> locked out. The fact that they all give you a few backup codes for
>> login helps.
>
> Yeah, I worry about being locked out as well.

I don't have much concern on this. I stored the github backup codes in my password/secure note manager, so I will never lose them.

I did not know that if you port your number to a new provider, you would be locked out. That's surprising, but makes sense at the same time.

> There's also nothing
> private in the dlang repository, but a malicious person could just
> delete everything and it would be a major problem for us to recover from
> that.

Well, the code will all be on everyone's system. The PRs should be pretty safe too, since they are all branches on everyone's private fork.

But it would be a pain to restore.

> 2FA is going to become increasingly common, and I expect we'll all have
> to get used to it.

Yeah, definitely.

-Steve

On Thursday, August 11, 2016 09:05:49 Steven Schveighoffer via Digitalmars-d wrote:
> I did not know that if you port your number to a new provider, you would be locked out. That's surprising, but makes sense at the same time.

It probably depends on who you're dealing with. In my case, it was godaddy, and it definitely mattered with them. It may not matter with github. But the fact that it _can_ happen makes me that much more nervous about having my access to something connected to a specific device. At this point, I think that I now have two-factor enabled on all of two sites, and I'm not going to be in a hurry to enable it on more.

- Jonathan M Davis

On Thursday, 11 August 2016 at 13:05:49 UTC, Steven Schveighoffer wrote:
>> There's also nothing
>> private in the dlang repository, but a malicious person could just
>> delete everything and it would be a major problem for us to recover from
>> that.
>
> Well, the code will all be on everyone's system. The PRs should be pretty safe too, since they are all branches on everyone's private fork.

The code is pretty safe thanks to git. The comments get lost.

Likewise, deleting bugzilla would be ugly.

We could start signing git commits/tags for additional safety.

On Thu, Aug 11, 2016 at 12:59:11AM -0700, Walter Bright via Digitalmars-d wrote: [...]
> There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.
[...]

Thankfully, it's not that bad thanks to git. Everyone who has a local clone of the dlang repo would have a copy of the code (complete with the history too!).  It would be troublesome to recover from it, but not impossible, and definitely easier than other revision control systems where you may potentially have to reconstruct the repo from scratch.

We *would* lose PRs and the discussions attached to them, though. That would be unfortunate, though not fatal. It might even give us a clean slate in the PR queue, which could be construed to be a good thing! ;-) The PR submitters would still have their code intact in their local repo, so no actual code would be lost.


T

-- 
My program has no bugs! Only undocumented features...

On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
> The code is pretty safe thanks to git. The comments get lost.

If github doesn't restore from backup, maybe mirror github repo into a gitlab repo? http://docs.gitlab.com/ce/workflow/importing/import_projects_from_github.html

> Likewise, deleting bugzilla would be ugly.

Bugzilla is backed up.