this post was submitted on 06 Nov 2025
1 points (60.0% liked)

Information Security

346 readers
1 users here now

founded 2 years ago
MODERATORS
himazawa
1
the wisdom of Microsoft Github’s forced 2FA over email -- what if your email address changes? (lemmy.sdf.org)
submitted 5 days ago* (last edited 5 days ago) by evenwicht@lemmy.sdf.org to c/infosec
4 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.sdf.org/post/45188081

I am locked out of Github because the disposable email address I was willing to trust Microsoft with is no longer reachable. Every single login into GH requires an email confirmation. So if you cannot enter the 1-time access token, you’re fucked.

You might think a big corporation like Microsoft would not make such an amateurish mistake.

you are viewing a single comment's thread
view the rest of the comments
[–] 6nk06@sh.itjust.works 1 points 5 days ago* (last edited 5 days ago) (1 children)

Was your email verified? I'm confused because github never sent me anything by email after that step, and passkey being the highest security possible, your scenario should not happen.

Also a token by email is shit since forever. Email is not 2FA at all, only TOTP and Passkeys and they dont require any interaction with the email account. Also Codeberg has TOTP and Passkeys too.

The token via email was OVERLY secure in the case at hand

Overly secure for you only, not for all the other users. You lost your email verification and github then thinks you're a spammer. The world is filled with spammers stealing accounts and they have the right to secure their shitty web site a bit.

[–] evenwicht@lemmy.sdf.org 1 points 5 days ago

Was your email verified? I’m confused because github never sent me anything by email after that step, and passkey being the highest security possible, your scenario should not happen.

MS does not get my IP address. I ensure every single login is over Tor. MS makes sure ~97% of logins require plaintext email 2FA. On a few very rare occasions over the past several years, I was able to login without the email bullshit. Maybe once per year I got lucky like that (which is perhaps comparable to the odds of getting a fresh new exit node that MS does not know about). I thought I was getting that shitty treatment for being on Tor but some non-Tor users told me they have to do the email verify every time as well, so I figured it was imposed on everyone not just Tor users.