[python-committers] 2FA: only needed at the *first* GitHub login, not needed for commits

[Victor Stinner]

Hi,

On the "Security: please enable 2-factor authentication on GitHub and
your email" thread that I started, I see many people afraid of being
annoyed everyday by 2FA (2-factor authentication, called
"Authentication code" in GitHub).

Let me explain how GitHub uses 2FA.

* Let's say that you are not logged on GitHub (or log out to test yourself).
* Log in GitHub: enter email and password, then you are asked for an
"Authentication code".
* You're logged in, congrats :-)
* Close Firefox
* Open Firefox, go to GitHub: you are already logged in. No more
password nor Authentication code asked.

Hum... that's it :-) I don't know how long the GitHub cookie remains
valid, but it's very rare (maybe once per month? or once every 3
months??) for me to have to log in again. And usually, it's because I
log out on purpose.

Ok, now you can to push a pull request using SSH:

* Step 1: git push (...)
* There is no step 2 :-)

There is no 2FA here. If I understood correctly, for HTTPS, there is
no 2FA neither.


So where is the 2FA?

* New log in

The 2FA is not needed for:

* (If you are already logged in) Disabling 2FA doesn't require an
authentication code. I just checked for you :-)
* Adding a new SSH key to your account only requires your password,
but the authentication code is also accepted instead of the password


So what is the point of 2FA? It protects the log in. If an attacker
has your password without the 2FA key, they are unable to log in.

>From what I see, the 2FA doesn't protect against pushing commits if
the attacker steal your SSH key or your HTTPS password. My
understanding is that it's more common to get a password stolen than a
SSH key. While you have to write the password regulary in web forms,
GitHub only requires your SSH *public key* (only asked you, when
adding a new key). The risk of leaking a SSH private key by mistake is
much lower. For example, a browser doesn't ask you to store your SSH
private key, only your password. For HTTPS: well, try to avoid HTTPS
and prefer SSH? :-)


A few months ago, using a Yubikey is Firefox required a plugin. Good
news: since Firefox 57 (or even Firefox 56), U2F support is now
builtin! But it's still experimental and so disabled by default (it's
a simple flag that has to be set to true in about:config):

https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-firefox-quantum/


Google has the same 2FA design. It stores a cookie and so once you are
logged on your computer, the 2FA is no more used. There is a check box
like "[x] Remember this computer" or something like that. The 2FA
matters you someone tries to use your password on a different
computer.


At work, I have a different experience with 2FA. It's much more
stricter. I have to use my 2FA at least once a day, or more frequently
depending on the services that I have to use. So yeah, I understand
that some people who already suffer from that don't want to be annoyed
on the Python project.

Victor
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Victor Stinner]

2017-12-11 17:19 GMT+01:00 Chris Jerdonek :
> Why do you say this? Can't this only be true for accounts that allow
> password recovery / reset via email?
>
> --Chris

While I didn't check, but I'm quite sure that the email quickly enters
into the play when you want to recover your GitHub account when you
lost everything (password, 2FA key, recovery code).

At least, the email was the key to break the security in one "I have
been hacked" article. Hum, I think that it was this article:
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

The story is related to "password reset": Google (Gmail), Apple,
Twitter, Amazon, etc.

Victor
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] 2FA: only needed at the *first* GitHub login, not needed for commits

[Stefan Krah]

On Tue, Dec 12, 2017 at 10:42:56AM +0100, Victor Stinner wrote:
> Let me explain how GitHub uses 2FA.
> 
> * Let's say that you are not logged on GitHub (or log out to test yourself).
> * Log in GitHub: enter email and password, then you are asked for an
> "Authentication code".
> * You're logged in, congrats :-)
> * Close Firefox
> * Open Firefox, go to GitHub: you are already logged in. No more
> password nor Authentication code asked.

Well, my security model is different.

I have full disk encryption with a long passphrase.  I shut down the computer
when I leave, so I have to enter that passphrase several times a day.


I have an encrypted text file that contains per-website passwords, protected
by another long passphrase. I have to decrypt that file at least once after
booting.


Finally, due to the garbage that modern browsers store (run rsync and watch
what is accumulated even in a day), I clear all the history etc. when
Firefox is closed.


This means that I have to log in ***multiple times into GitHub per day***.



My GitHub password should be only on GitHub, so when there's a breach
GitHub is already pwned (which it has been in the past but the prevailing
doctrine does not permit to mention it, and if anyone dares to he is
ignored).


Given the snake oil history in crypto products (Crypto AG, RSA SecureID,
Infineon chips, closed source in YubiKey), quite franky MY security model
won't allow inserting such a product into an USB slot.



Stefan Krah



___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Victor Stinner]

2017-12-11 13:57 GMT+01:00 Stefan Krah :
> I'm not a fan of hardware key generation. :-)
>
> https://en.wikipedia.org/wiki/YubiKey
>
> "In October 2017, security researchers found a vulnerability (known as ROCA) 
> in the implementation of RSA keypair generation in a cryptographic library 
> used by a large number of Infineon security chips. The vulnerability allows 
> an attacker to reconstruct the private key by using the public key.[18][19] 
> All YubiKey 4, YubiKey 4C, and YubiKey 4 nano within the revisions 4.2.6 to 
> 4.3.4 are affected by this vulnerability.[20] Yubico publicized a tool to 
> check if a Yubikey is affected and replaces affected tokens for free.[21]"

FYI it seems like only RSA private key generated by old Yubikey keys
are vulnerable to the ROCA attack. OTP authentication is not affected.
See https://www.yubico.com/keycheck/ for more information.

"ROCA: Return Of the Coppersmith Attack": https://lwn.net/Articles/738896/

As I wrote, I chose to use ed25519 for my new SSH key. Maybe it was a
good idea :-)

Victor
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

[python-committers] Fwd: What happens if I loose my password, 2FA key and recovery key

[Victor Stinner]

For the ones who are worried about losing all credentials for their GitHub
account, here are some official answers from GitHub support.

Victor

-- Forwarded message --
From: Michael (GitHub Staff) 
Date: 2017-12-12 11:05 GMT+01:00
Subject: Re: What happens if I loose my password, 2FA key and recovery key
To: Victor Stinner 


Hi Victor,

Thanks for getting in touch.

To address your questions:

The question is what happens if you loose your password, your 2FA key and
your recovery key... Ok, it's unlikely, but it's a real question.

If you were to lose access to all of your 2FA credentials, I'm afraid we
wouldn't be able to disable 2FA for you, for security reasons. For this
reason, we recommend setting up one or more fallbacks.

One way of safeguarding recovery keys is storing them in an encrypted
password manager like 1Password or LastPass, which often have cloud backup
capabilities.

The second question is if the email account comes into the play as the last
attempt to recover access to the GitHub account.

The email and password associated with an account provide one factor of
authentication. If 2FA is enabled, a second factor is required. In the case
of someone losing access to all 2FA credentials, but still having access to
the email associated with an account, we aren't able to disable 2FA, but
can release the email address from the account. This would then allow the
user to register the email address to a new account. Additionally, any
contributions associated with that email address would follow along to the
new account.

At present, we have a range of fallbacks, which I'll list below. It's a
good idea to use more than one, while also being mindful of not creating
too much exposure.

*Download your recovery codes.* This is far and away the best way to make
sure you don't get locked out of your account. If you ever disable and then
re-enable 2FA, be sure to download the new codes we generate as the old
ones will no longer work.

https://help.github.com/articles/downloading-your-two-factor-authentication-
recovery-codes

*Set a fallback number.* As long as your phone wasn't lost, you'll be able
to regain access to your account in the amount of time it takes to receive
an SMS.

https://help.github.com/articles/setting-a-fallback-authentication-number

*Add a security key.* Phone got stolen *and* you lost your recovery codes?
Today is turning into a rough day, but you'll still have access to your
account if you have a FIDO U2F security key added to your account.

https://help.github.com/articles/configuring-two-factor-authentication-via-
fido-u2f

*Store a recovery token* If you use Facebook, you're now able to store a
2FA recovery token with your account. Here's how:
https://help.github.com/articles/generating-and-storing-an-account-recovery-
token

*Set up an SSH key* We’re sometimes able to recover an otherwise locked out
account if there’s an SSH key set up. You can add one by heading to:
https://help.github.com/articles/adding-a-new-ssh-key-
to-your-github-account/

Let me know if you have any questions or if there's anything else we can
help with!

Best regards,

Michael
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[M.-A. Lemburg]

I'm with David on this one. 2FA is good for admin accounts, but
doesn't add much protection for regular committers. Think of what
you're trying to protect against: git checkins are all audited and
can easily be undone.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Dec 12 2017)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...   http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...   http://zope.egenix.com/


::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
  http://www.malemburg.com/

___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Antoine Pitrou]

And I'm not even sure it's possible to push directly without opening a PR...

All the arguments have been heard now and it would be nice if this
thread could die.


Le 12/12/2017 à 14:07, M.-A. Lemburg a écrit :
> I'm with David on this one. 2FA is good for admin accounts, but
> doesn't add much protection for regular committers. Think of what
> you're trying to protect against: git checkins are all audited and
> can easily be undone.
> 
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Paul Moore]

On 12 December 2017 at 13:07, M.-A. Lemburg  wrote:
> I'm with David on this one. 2FA is good for admin accounts, but
> doesn't add much protection for regular committers. Think of what
> you're trying to protect against: git checkins are all audited and
> can easily be undone.

Indeed. I'd rather have a password-protected account that I can
recover using my (2FA protected) email, than a second set of 2FA
credentials that I have to manage to avoid the risk of being 100%
locked out of github.

Paul
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Christian Heimes]

On 2017-12-12 02:17, Gregory P. Smith wrote:
> On Mon, Dec 11, 2017 at 12:26 PM R. David Murray  > wrote:
> 
> On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft  > wrote:
> >
> > > On Dec 11, 2017, at 2:52 PM, R. David Murray
> mailto:rdmur...@bitdance.com>> wrote:
> > >
> > > If 2fa is required for contribution to CPython, I'll stop
> > > contributing.
> >
> > I’m curious why? I have it on and 99% of the time you don’t even
> > notice because you’re already logged into GitHub and pushes/pulls
> > don’t require it.
> 
> I had to use 2FA when working for a corporate client, and it was
> very annoying.  The fact that pushes and pulls don't require it
> helps, but also makes it considerably less important.
> 
>  
> Please Don't let /that/ experience color your 2FA opinion.  Not everyone
> $random_corp does a good job of it.
> 
> It does not have to be annoying.  Github's and Google's are examples of
> 2FA done right that is not annoying (using U2F).
> 
> But I suppose that fundamentally I do not want my security tied to a
> possession.
> 
> 
> *2FA doesn't need to be tied to a single possession.*  You are not
> limited to a single second factor thing.  You can have plentiful
> different two factor methods set up at once.  This is normal.  ex: A
> printed recovery code at the very least as a second second factor.  Have
> multiple U2F USB tokens tied to your account? Yes. I do that all the
> time on all accounts.
> 
> Heck, a photo/scan/screenshot of backup one time codes stored as a
> public image somewhere with no password authentication for the world to
> see on an http server still counts.  As laughable as that is, it is
> *still* much better than not having 2FA enabled at all.  Because it
> isn't going to be an automated attack at that point.
> 
> /Any/ 2FA is much better than no 2FA.
> 
> When (not if) your login/password is compromised, it is rarely your own
> fault. But your account and all of your data can be gone in a heartbeat
> as soon as anyone or anything malicious chooses to make it so on
> whatever selection of accounts they choose to victimize. Often
> irrecoverably. With 2FA enabled, that is much less likely to happen to you.
> 
> Try it. You will remain happy.
> 
> I recommend the https://www.yubico.com/product/yubikey-neo/ as a primary
> U2F token because it even works with Chrome on Android phones via NFC
> when you need to re-auth there.  That is a more expensive one, there are
> $10-20 alternative vanilla U2F USB tokens. I have some of those as
> backups. The "nano" style keys that you just leave in the USB port of
> all computers you use regularly are also a nice solution. no need to
> find and pull out the key, it is just present in your computers (it
> requires a physical touch to prevent remote access).
> 
> Which 2FA methods to choose is an individual choice, but in my
> experience since the U2F keys came out, I'm less inclined to use any
> service that doesn't support them as all other solutions are a worse
> user experience for me.
> 
> IMNSHO, the PSF /should/ be able to buy one or two U2F tokens for any
> committer who needs them.  This should not depend on a policy of 2FA
> use, it would just be a way to promote good security practices among
> committers  to make us all better off.

+1

If you don't the trust closed-source Yubico hardware, there is plenty of
other hardware out. https://www.nitrokey.com/ is good German engineering
with fully open-sourced hardware and software.

Adam has compiled a nice list of U2F and 2FA tokens, too.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Christian
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Stefan Krah]

On Tue, Dec 12, 2017 at 02:04:42PM +0100, Christian Heimes wrote:
> If you don't the trust closed-source Yubico hardware, there is plenty of
> other hardware out. https://www.nitrokey.com/ is good German engineering
> with fully open-sourced hardware and software.
> 
> Adam has compiled a nice list of U2F and 2FA tokens, too.
> https://www.imperialviolet.org/2017/10/08/securitykeytest.html

The PSF then also must provide developer laptops along with the usb thingy.

I would assume that in extremely security conscious enviroments plugging
*anything* into an USB port is forbidden (if there are USB ports at all).



Stefan Krah



___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Brett Cannon]

On Tue, Dec 12, 2017, 05:07 M.-A. Lemburg,  wrote:

> I'm with David on this one. 2FA is good for admin accounts, but
> doesn't add much protection for regular committers. Think of what
> you're trying to protect against: git checkins are all audited and
> can easily be undone.
>

But David has an admin account for the repo. 😉 Anyway, it sounds like
we're not going to force this in anyone, but perhaps it might be worth
considering for admin accounts since they control whether force pushes are
possible.

-brett


> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Experts (#1, Dec 12 2017)
> >>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
> >>> Python Database Interfaces ...   http://products.egenix.com/
> >>> Plone/Zope Database Interfaces ...   http://zope.egenix.com/
> 
>
> ::: We implement business ideas - efficiently in both time and costs :::
>
>eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>Registered at Amtsgericht Duesseldorf: HRB 46611
>http://www.egenix.com/company/contact/
>   http://www.malemburg.com/
>
> ___
> python-committers mailing list
> python-committers@python.org
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Antoine Pitrou]

If some people are inclined to push for 2FA, I think it would be more
productive to write some kind of document giving advice and suggestions
and addressing all potential issues (such as backups, cross-platform
compatibility, software integration with various tools, etc.).  For
example I have 2FA enabled on Github but I just learned that U2F keys
are supposed to work with Firefox 57.0.

Regards

Antoine.


Le 12/12/2017 à 17:12, Brett Cannon a écrit :
> 
> 
> On Tue, Dec 12, 2017, 05:07 M.-A. Lemburg,  > wrote:
> 
> I'm with David on this one. 2FA is good for admin accounts, but
> doesn't add much protection for regular committers. Think of what
> you're trying to protect against: git checkins are all audited and
> can easily be undone.
> 
> 
> But David has an admin account for the repo. 😉 Anyway, it sounds like
> we're not going to force this in anyone, but perhaps it might be worth
> considering for admin accounts since they control whether force pushes
> are possible.
> 
> -brett
> 
> 
> --
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Experts (#1, Dec 12 2017)
> >>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
> >>> Python Database Interfaces ...           http://products.egenix.com/
> >>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
> 
> 
> ::: We implement business ideas - efficiently in both time and costs :::
> 
>    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>            Registered at Amtsgericht Duesseldorf: HRB 46611
>                http://www.egenix.com/company/contact/
>                       http://www.malemburg.com/
> 
> ___
> python-committers mailing list
> python-committers@python.org 
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
> 
> 
> 
> ___
> python-committers mailing list
> python-committers@python.org
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
> 
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

[Alex Gaynor]

They require a preference to be enabled, but yeah, Security Keys in Firefox
Quantum 🎉
https://mobile.twitter.com/jamespugjones/status/91231495223226

Alex

On Tue, Dec 12, 2017 at 11:21 AM, Antoine Pitrou  wrote:

>
> If some people are inclined to push for 2FA, I think it would be more
> productive to write some kind of document giving advice and suggestions
> and addressing all potential issues (such as backups, cross-platform
> compatibility, software integration with various tools, etc.).  For
> example I have 2FA enabled on Github but I just learned that U2F keys
> are supposed to work with Firefox 57.0.
>
> Regards
>
> Antoine.
>
>
> Le 12/12/2017 à 17:12, Brett Cannon a écrit :
> >
> >
> > On Tue, Dec 12, 2017, 05:07 M.-A. Lemburg,  > > wrote:
> >
> > I'm with David on this one. 2FA is good for admin accounts, but
> > doesn't add much protection for regular committers. Think of what
> > you're trying to protect against: git checkins are all audited and
> > can easily be undone.
> >
> >
> > But David has an admin account for the repo. 😉 Anyway, it sounds like
> > we're not going to force this in anyone, but perhaps it might be worth
> > considering for admin accounts since they control whether force pushes
> > are possible.
> >
> > -brett
> >
> >
> > --
> > Marc-Andre Lemburg
> > eGenix.com
> >
> > Professional Python Services directly from the Experts (#1, Dec 12
> 2017)
> > >>> Python Projects, Coaching and Consulting ...
> http://www.egenix.com/
> > >>> Python Database Interfaces ...
> http://products.egenix.com/
> > >>> Plone/Zope Database Interfaces ...
> http://zope.egenix.com/
> > 
> 
> >
> > ::: We implement business ideas - efficiently in both time and costs
> :::
> >
> >eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
> > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> >Registered at Amtsgericht Duesseldorf: HRB 46611
> >http://www.egenix.com/company/contact/
> >   http://www.malemburg.com/
> >
> > ___
> > python-committers mailing list
> > python-committers@python.org 
> > https://mail.python.org/mailman/listinfo/python-committers
> > Code of Conduct: https://www.python.org/psf/codeofconduct/
> >
> >
> >
> > ___
> > python-committers mailing list
> > python-committers@python.org
> > https://mail.python.org/mailman/listinfo/python-committers
> > Code of Conduct: https://www.python.org/psf/codeofconduct/
> >
> ___
> python-committers mailing list
> python-committers@python.org
> https://mail.python.org/mailman/listinfo/python-committers
> Code of Conduct: https://www.python.org/psf/codeofconduct/
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
Code of Conduct: https://www.python.org/psf/codeofconduct/