双重身份验证没有用
双重身份验证(2FA)并没有太大用处;它对安全性的提升有限。<p>GitHub 要求使用双重身份验证(虽然不清楚是否对 API 访问是强制要求;我几乎完全依赖 API 访问),但这并没有帮助。此外,设置双重身份验证的方法根本无法正常工作(它会陷入循环),其他人也在抱怨这个问题,所以这并不是我一个人的问题。<p>有些人认为这可能会降低安全性,这是有可能的(因为你需要添加其他东西来处理,包括恢复代码)。<p>还有人说这让微软可以监视你,但 TOTP 并不允许任何人监视任何人。有些人说这需要手机,但 TOTP 也不需要手机。<p>实际上,提升 GitHub(或其他 Git 托管服务)安全性的有两个方面:X.509 客户端证书和签名发布(这两者可能应该一起使用)。这两者都不需要 JavaScript,也都不会导致你的凭据被窃取。这还有其他优点,例如单点登录。
查看原文
2FA is no good; it does not improve security much.<p>GitHub requires it (although it is unclear if it is required for API access; I almost entirely use the API access anyways), but that doesn't help. Also, the method of setting it up does not even work (it just gets stuck in a loop) (and other people are complaining about this too, so it is not only me).<p>Some people say it may make it less secure, which is possible (since you will need to add other things to handle it, including recovery codes).<p>Some people say it allows Microsoft to spy on you, but TOTP doesn't allow anyone to spy on anyone. Some say it requires a mobile phone, but TOTP does not require that either.<p>What would actually help security on GitHub (or other git hosting services) are two things: X.509 client certificates and signed releases (both should probably be used together). Neither requires JavaScripts, and neither makes it possible to steal your credentials. This also has other advantages, e.g. single-sign-on.