Requiring secure 2FA methods?

[jaraco]

Today, I clicked on a GitHub email for cherrypy intending to respond to an issue. It took me to a page where I was not allowed to proceed because my account was configured with 2FA but including SMS, which is considered insecure. In my opinion, SMS isn't insecure, it's just less secure than other 2FA methods.

My instinct - CherryPy isn't of such high importance that it requires only the highest level of security and simply requiring 2FA is sufficient.

I've removed SMS as an option for 2FA in my account so I can read and respond to issues and file discussions like this one, but I'm uncertain what the implications might be. I guess it's probably fine, but do we really want to hold contributors to this high bar when much more visible projects do not?

[webknjaz]

I've seen this being mandated in more orgs lately. I think it's important because many maintainers have access to a lot of projects and so this is contributing to the overall security in FOSS.

Additionally, SMS is inaccessible and problematic in so many ways that it's almost the same as not having 2FA at all. It creates a false sense of security while texts can be easily intercepted.
All one has to do to exploit it is to select an insecure mechanism and use this poorly protected auth mechanism.

FWIW, I don't really consider SMS a 2FA mechanism. It doesn't ensure that the second factor is held by the account owner.

[jaraco]

It can't possibly be that trivial to intercept any SMS message that it's like having nothing at all. At the very least, it requires the attacker to target an individual. Even if every SMS in the world was posted to a public blockchain, it would still be a barrier, albeit weak, that the attacker would need to know the SMS number to look up the message.

When articles say SMS is not secure, they're being overly-dramatic. What they really mean is that it has exploitable weaknesses and is less secure than some other methods.

FWIW, I don't really consider SMS a 2FA mechanism. It doesn't ensure that the second factor is held by the account owner.

By this standard, the other factors aren't 2FA either. It's possible to lose a security key grant PIN or biometric access to another person. It's also possible to be coerced/forced to supply it on behalf of someone else. Everyone is expected to have recovery keys, and those could be as secure or insecure as any other piece of information.

What's most important is that we have security that's sufficient to dissuade a sufficiently motivated attacker from gaining access. In my opinion, the value proposition of having access to CherryPy's GitHub account is very low. There's very little an adversary could gain. In my opinion, requiring 2FA is already a very high bar for something like contributing to CherryPy. Restricting allowed 2FA methods feels like overkill.