How I Got Locked Out of Github (Rant)

Security means a lot of different things to different people. If you are a home owner, you do not want to have somebody entering your house without authorization and you do not want somebody picking up a package from your porsch. If you are a store owner, you do not want to have someone entering the store, picking up goods, and making off with it without paying for it. For information, we have a general consensus that security implies confidentiality, integrity, and availability - the CIA triad.

When GitHub introduced two-factor authentication, they wanted to ensure that no one but me gets access to my private data and that nobody pretends to be me and posts something to my public repositories. When I enter my username and password to log in, they want to make sure somebody didn’t install a keylogger and steal my credentials, so they send a text message with a one-time password for me to enter each time I log in. This one-time password goes over a third-party provider (i.e. GitHub does not have control over how it is sent) but because this means of authentication is occurring over a separate channel, chances are that the same entity does not have access to both my login attempt session and the one-time password. If I have a dumb phone that can only make phone calls and receive texts, somebody who gets my phone does not get both the login credentials and the one-time password to log in. If I have a smart phone, I could have saved the username and password so whoever gets my phone and is able to get into my phone can gain access to my GitHub account. My phone is unlocked by either Face ID or passcode - if somebody holds up a photograph, the phone is not going to let them in… or will it? If somebody can see my keying in my passcode, they can steal the phone and get access to both saved credentials and the one-time password. If I use an Apple Watch to unlock my iPhone, whoeve is attempting to steal my phone will also need to steal my watch… or has to get close enough for my phone to unlock.

…so, coming back to the part where GitHub sends the one-time password through a third-party provider. As soon as the text is sent, I see it on my phone and key it into the computer to log in. At some point of time, GitHub decided to change their text message gateway provider to one that is unable to send text messages to my phone number. Now, I have a username and a password but I have no way to get the one-time password, and I cannot login. GitHub sends me email notifications about vulnerabilities discovered in the libraries that code in my GitHub public repository uses, but I have no way to make updates or accept any bot-generated pull-requests. The security of the service has been compromised because now there’s no Availability from the CIA triad. I reached out to GitHub, they said they would switch my account OTP over to their old text messaging gateway, but I still didn’t receive the one-time password. In the end, I created a new GitHub account. I still have the ability to clone my public repositories and to push the code to a repository in my new account. I signed up for an authenticator app and enter the generated token numbers whenever I need to log in.