Information Security

346 readers

1 users here now

founded 2 years ago

MODERATORS

himazawa

the wisdom of Microsoft Github’s forced 2FA over email -- what if your email address changes? (lemmy.sdf.org)

submitted 5 days ago* (last edited 5 days ago) by evenwicht@lemmy.sdf.org to c/infosec

4 comments fedilink hide all child comments

cross-posted from: https://lemmy.sdf.org/post/45188081

I am locked out of Github because the disposable email address I was willing to trust Microsoft with is no longer reachable. Every single login into GH requires an email confirmation. So if you cannot enter the 1-time access token, you’re fucked.

You might think a big corporation like Microsoft would not make such an amateurish mistake.

you are viewing a single comment's thread
view the rest of the comments

[–] evenwicht@lemmy.sdf.org 1 points 5 days ago

Was your email verified? I’m confused because github never sent me anything by email after that step, and passkey being the highest security possible, your scenario should not happen.

MS does not get my IP address. I ensure every single login is over Tor. MS makes sure ~97% of logins require plaintext email 2FA. On a few very rare occasions over the past several years, I was able to login without the email bullshit. Maybe once per year I got lucky like that (which is perhaps comparable to the odds of getting a fresh new exit node that MS does not know about). I thought I was getting that shitty treatment for being on Tor but some non-Tor users told me they have to do the email verify every time as well, so I figured it was imposed on everyone not just Tor users.