Tell HN: GitHub forcing 2FA on users has no basis in their ToS
Recently I received an email from GitHub telling me i need to enable 2FA because i'm a somewhat active (hobbyist!) developer...
But the ToS very clearly states:
"You are responsible for keeping your Account secure while you use our Service. We offer tools such as two-factor authentication to help you maintain your Account's security, but the content of your Account and its security are up to you."
I think it is cute when corporations don't even bother to conform to their ToS themselves. This one is even almost readable.
Anyway, i just thought you'd like to know. Have a nice day! IANAL but I don’t think that GitHub is violating their ToS here. L4 says ”GitHub has the right to suspend […] your access […] at any time […]. GitHub reserves the right to refuse service to anyone for any reason at any time.” Sue, "no basis" is perhaps a bit spicy.... but it's still an active contradiction that they could have easily changed. (And in doing so should have made them at least think twice before pushing this). IANAL, but ToS's provide companies an option, not an obligation, to do something. It's not a law. Not super related but it's funny that Twitter basically shed text 2FA unless you pay for it with their monthly blue checkmark thing, demoting anybody who had text 2FA to authenticator style app to save on cost, whereas Microsoft/GitHub are forcing everybody to enroll, which would inverse what Twitter did and send their 2FA SMS costs through the roof. Authenticator-based 2FA is far more secure than SMS-based 2FA Are you going to cry because a company wants your data to be a bit more safe? Then you won't objective to 3fa or 20fa. More steps is safer right? If your account is unimportant to you github shouldn't force you to add layers of security when they literally throw you under the bus in the TOS telling you it is your responsibility.. good let me decide my level of risk. If a lot of people trust code that comes from your account, then it can and will be weaponized for a supply chain attack. If you do not have the good sense to lock up such a weapon, then please delete your account. Keyword: if. What little i do distribute to a few end users come from local builds through a completely separate system.
The security level applied reflects this more than well. To my (well-founded) knowledge nobody distributes my code; and if they did they'd have full responsibility. That's what "THE SOFTWARE IS PROVIDED 'AS IS'" means. You don't have to like it and you don't have to use it. There really is no middle ground unless you develop a relation. Who says i can be trusted? Not me! Not the case here.. and not the case for 99.99% of repos on github. Are you against 2fa, or against being compelled to use it? Why? The latter. And especially the reasoning they provide W.R.T. "securing the software supply chain".
I have a strong, managed, password which is perfectly reasonable for a few hobby hacks... See also: "I am not a supplier" https://news.ycombinator.com/item?id=34201368 They write the tos. It doesn't matter if they updated them in time for someone actually reading a tos. github, by being under Microsoft, is now an advertisement support service. the main reason they want your phone number is to tie you to a more expensive profile for ad impressions.