3
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 06 Nov 2025
3 points (100.0% liked)
Information Security
346 readers
6 users here now
founded 2 years ago
MODERATORS
Passkeys and/or 2FA. If you don't have either and GitHub becomes suspicious, you're no different than a hacker trying to take over accounts. But I agree that a token in one email is insecure.
Anyway use Codeberg next time.
It’s unclear what you mean. I have my username and passkey (1FA). I did not setup any kind of 2FA (I have nothing I care to protect on their shit site), but MS imposes email verification as a forced-2FA.
Not at all. Security policy is designed for a purpose. You can never have absolute security. You can only have something that is secure enough for a task and for the assets under protection in light of threat risks. The token via email was OVERLY secure in the case at hand -- and as a consequence security was lost (specifically, availability was lost, which is part of security).
Impossible to use Codeberg to submit a bug report or comment on existing bug reports that are MS Github hosted. I would never voluntarily use MS Github for any project that I control.
I only use GH to collaborate on other people’s projects. And even then, I simply do not report many bugs because I cannot be bothered to dance for Microsoft and deal with their garbage. But now it looks like I will not be reporting /any/ bugs to any GH projects.
BTW, it’s bizarre that you suggest using Codeberg just after saying email-based 2FA is “insecure”. Codeberg allows 1FA (and rightfully so).
Was your email verified? I'm confused because github never sent me anything by email after that step, and passkey being the highest security possible, your scenario should not happen.
Also a token by email is shit since forever. Email is not 2FA at all, only TOTP and Passkeys and they dont require any interaction with the email account. Also Codeberg has TOTP and Passkeys too.
Overly secure for you only, not for all the other users. You lost your email verification and github then thinks you're a spammer. The world is filled with spammers stealing accounts and they have the right to secure their shitty web site a bit.
MS does not get my IP address. I ensure every single login is over Tor. MS makes sure ~97% of logins require plaintext email 2FA. On a few very rare occasions over the past several years, I was able to login without the email bullshit. Maybe once per year I got lucky like that (which is perhaps comparable to the odds of getting a fresh new exit node that MS does not know about). I thought I was getting that shitty treatment for being on Tor but some non-Tor users told me they have to do the email verify every time as well, so I figured it was imposed on everyone not just Tor users.