46
How is everyone handling the 2FA requirement for GitHub?
(docs.github.com)
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don't get all my private stuff.
Works great till somebody does a sim swap on you.
How? It's physically at home.
Swapping the sim associated with your phone number -- from your sim to their sim.
But how? It's at my home and without physical access to it, its impossible to swap sim card. It's always at my home. Nobody can can transmit my phone number to their sim card without my knowledge and permission.
As in "Hi PhoneCompany, I'd like a mobile plan with you. Yes, I'd like to bring my old phone number over to the new account."
Or "Hi PhoneCompanySupport, I'm @thingsiplay and i lost my sim, plz send me a new one. BTW my new address is ..."
Ideally it shouldn't happen, but phone company security is pretty slack sometimes,
That's a big far fetched from reality, just to build an anti argument. I don't know where you live, but in Germany this cannot happen. You can't just order a sim to any address and use the phone number of you wish. You have to provide with 100% certainty that you are the owner of the sim card, as every new registered card/number has to provide your goverment id and your personal signature. Also taking old phone number to new account can only happen, if you provide proof you owned it in the first place.
If you know any case (here in Germany) someone could steal the phone number like you just described, please provide a link. This would be a huge security issue that should not be possible to happen. Nobody in the world can do that to my phone number and I think you just fabricate something that is not possible in Germany.
Ah, that's good then.
In Australia you really only need a name and date of birth and ID such as a passport or driving license number of the owner. No physical or even photographic proof. Some phone companies send the original sim a notification before moving it, but no response is required and moving the number often only takes 10~30mins.
Banks in Australia commonly use sms codes as 2fa.
A large percentage (20~30%?) of adult Australians have had their ID details leaked in recent years because there are no adequately enforced security requirements or data-retention limits. One of the largest breaches was the second largest mobile phone provider...
I see. Off course I only speak from my environment. Even if ID details would have leaked, it should be impossible for someone to get my phone number, even if the person knows my name and phone number and any ID details.
It's actually quite hard to get authenticated for a new phone number in my opinion. In example last year I setup this new number and at first try it did not work, without giving any reason that could give a hint. I ended up buying a different prepaid sim card and the process was the same: go to bank, and do all the shenanigans and dance.
BTW sorry for my previous inflammatory language; I get heated up pretty quickly. And you stayed cool.
No worries. The situation I was describing is indeed absurd and defies reasonable expectations.
That's exactly what I'm planning to do, a phone that forwards all sms messages through ntfy (or other service like signal) to me.
@chevy9294 @thingsiplay
On android you can use https://f-droid.org/en/packages/org.projectmaxs.module.smsnotify/ - forwards incoming sms to XMPP
Thanks but I'll be running postmarketOS and make sms forwarder myself.
Interesting software. Never heard about this. This is not really for me as I don't do SMS authentification or SMS in general or use that phone at all, other then authenticate myself from time to time. I wonder how this differs from software like KDEConnect in its practically (not in the technical implementation differences).