[Access Lunch] Fwd: [GitHub Support] - 2 Factor Authentication

Thu Jan 19 11:21:14 EST 2023

Hi Folks,

Does anyone know someone who works at GitHub that could actually take this
seriously?  I'm looking for a moment similar to when Meghan Markle
protested a sexist ad on TV, and they actually stepped up
<https://youtu.be/Zkb-zg4JCLk>.  The new series on Netflix, "Harry and
Meghan," is great!

---------- Forwarded message ---------
From: Carl Haynes-Magyar <chaynesm at andrew.cmu.edu>
Date: Thu, Jan 19, 2023 at 11:16 AM
Subject: Re: [GitHub Support] - 2 Factor Authentication
To: GitHub <support at githubsupport.com>

Hi Picard,

I did not appreciate the undertone of your email.  The customer is always
right. My question was future-oriented as I conduct research on programmers
with cognitive disabilities.  Yes.  I asked you to enforce specific
security requirements when 2FA was enabled. I also expect you, GitHub, of
all the companies out there to adapt to the changes in authentication and
security requirements as we advance!  Read “You can add biometric
authentication to your webpage. Here’s how.
<https://stackoverflow.blog/2022/11/16/biometric-authentication-for-web-devs/>
”  Forward this to administrative personnel who make decisions about
security features and development! This will help you increase
accessibility for those with and without cognitive disabilities! See the 2022
Stack Overflow Developer Survey
<https://survey.stackoverflow.co/2022/#section-demographics-disability-status>
for statistics.  Instead of responding to my email with what I asked you to
do, realize that there is something you need to do to improve my
experience. This is way more constructive than enforcing the status quo
which is not going to last as more people shift toward biometric
authentication because of the ease for those with and without disabilities!
Enforcing a policy that taxes me as the customer is outright wrong. Change
the policy.

I also *already* *said *(intentionally emphasized to clearly convey my
frustration with you), “Otherwise, please make my current email address
chaynesm at andrew.cmu available for use with a new personal account,” yet you
did not do this. Now, another email is required in order for you to get
this done.

Please do the latter while you work on speaking up to administrative staff
and learn how to be in solidarity with your constructive customers when
they are absolutely right!

Sincerely (no undertone and glad to conduct a study on how this could
expand accessibility for those with disabilities.  Think about the blind or
visually impaired, those with motor disabilities, and cognitive
disabilities who may not remember where they put their recovery codes. ...I
am learning more about how to create accessible web applications myself.)

Carl

On Thu, Jan 19, 2023 at 8:19 AM GitHub <support at githubsupport.com> wrote:

> ## Please do not write below this line ##
>
> Your request has been updated.
>
> You can add a comment by replying to this email.
>
> *Picard* (GitHub Support)
>
> Jan 19, 2023, 1:19 PM UTC
>
> Hi again,
>
> Thanks for the follow up. In order for 2FA to be disabled on the account,
> you would need to satisfy the security requirements you asked us to enforce
> when 2FA was enabled. Those requirements are based on access to the
> verified email address and password, and one of the following:
>
>    - TOTP authenticator application or SMS number
>    - Recovery codes
>    - SMS fallback number (not set up)
>    - U2F security key (not set up)
>    - SSH key (not set up)
>    - Personal access token (not set up)
>
> Since we don't collect any physical forms of identification at the time
> you set up an account, it's not possible for us to use those - or other
> social/biographic details - as comparisons for verifying identity or
> account ownership after the fact. That is to say, any ID (or details) you
> offer to share can give us no indication whether you are the same
> individual who activated 2FA for the account.
>
> With that in mind, if you are unable to provide secondary authentication
> via one of the methods that are enabled on the account, we unfortunately
> will not be able to help you regain access. I know this news is far from
> what you were hoping to hear and this isn't the outcome any of us would
> have hoped for, but to ensure the integrity of 2FA for all users, we cannot
> relax our security policies.
>
> Please let us know if you have any other questions, or if you'd like us to
> go ahead and remove your username and email address from the account.
>
> Warm regards,
> Picard
>
> *Dr. Carl C. Haynes-Magyar*
>
> Jan 18, 2023, 1:38 PM UTC
> Hi Picard,
>
> Is there no way to update my phone number and/or biometrically verify who
> I am?
>
> Otherwise, please make my current email address chaynesm at andrew.cmu
> available for use with a new personal account.
>
>
>
> *Picard* (GitHub Support)
>
> Jan 18, 2023, 10:08 AM UTC
>
> Hi Carl,
>
> Thanks for the follow up , and sorry to hear you're still having trouble
> accessing your account.
>
> The quickest way to recover access would be by using one of the *account
> recovery codes* that we strongly encouraged be kept safe when 2FA was
> enabled. Even if you think you might not have them, you may have saved your
> recovery codes to a password manager or somewhere on one of your devices.
> The default filename for these codes is github-recovery-codes or
> github-recovery-codes.txt. For more information about using a recovery
> code, read Using a two-factor authentication recovery code
> <https://docs.github.com/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials#using-a-two-factor-authentication-recovery-code>
> .
>
> I'll note that 2FA was configured on the account with a *security key*.
> If you still have this key, you can use it to recover access to the
> account. For more information, read Authenticating with a security key
> <https://docs.github.com/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials#authenticating-with-a-security-key>
> .
>
> If you don't have the phone number used to setup 2FA, a valid recovery
> code, or a security key, I'm afraid we'd be unable to restore access to the
> account.
>
> In this situation, I would suggest *creating a new GitHub account*.
> Here's what I can do for you. We can make your current email address (*chaynesm at andrew.cmu.edu
> <chaynesm at andrew.cmu.edu>*) available for use with a new personal account.
>
> Let me know if you would like to have your email address made available.
> You'll be able to create a new account with it after we action the
> unlinking. It should help you get things back to the way they were, as much
> as possible.
>
> As for the account username (*@cchmagyar*), we could release this to you
> in time but we would have to wait until the account was sufficiently
> dormant. You're welcome to check back in with us in *two weeks time* to
> determine if we'll be able release the username to you.
>
> You can push any local copies of your private repositories to your new
> account and fork any public repositories from your old account. We aren't
> able to transfer any repositories over from the old account.
>
> If you need access to an Organization or someone else's repository
> restored, you'll need to ask the relevant owner/administrator to invite
> your new account once it is setup. We aren't able to transfer any access
> permissions over from the old account.
>
> I realize that this would be a disappointing outcome, but I hope you can
> appreciate that this approach to account access is important for ensuring
> the security of GitHub accounts that have two-factor authentication enabled.
>
> If you have any other questions, as always, do let us know.
>
> Warm regards,
> Picard
>
> *Dr. Carl C. Haynes-Magyar*
>
> Jan 17, 2023, 6:02 PM UTC
> Hi Picard,
>
> Please find a way around this such as me sending government documentation
> to fix this or create a policy by raising this issue to admins who have the
> power to change this!  I have private repositories that I will not be able
> to clone.
>
> Thank you,
> Carl
>
> *Picard* (GitHub Support)
>
> Jan 17, 2023, 1:17 PM UTC
>
> Hi there,
>
> Thanks for reaching out, and sorry to hear you're having trouble accessing
> your account.
>
> In order to regain access, you would need to track down the recovery codes
> that were downloaded when 2FA was enabled on the account. Even if you don’t
> think you have access to these anymore, I'd recommend checking any backups,
> cloud services, and password managers you have. By default, these would've
> been saved as *github-recovery-codes.txt.*
>
> If you don't have valid recovery codes or the SMS number, I'm afraid we'd
> be unable to help you regain access to the account, as no other recovery
> methods were set up.
>
> That said, we could remove your email address from the account which would
> allow you to use this address to register for a new account . Once the new
> account is created, you can fork or push any existing, public repositories
> over from this account and if your commits were authored with this email
> address, they'll automatically be re-associated with your new account.
>
> As for the account username cchmagyar, we could release this to you in
> time but we would have to wait until the account was sufficiently dormant.
> You're welcome to check back in with us in two weeks time to determine if
> we'll be able release the username to you.
>
> While we understand this may be less than ideal, please let me know if
> this would be helpful.
>
> Warm regards,
> Picard
>
> *Dr. Carl C. Haynes-Magyar*
>
> Jan 13, 2023, 10:54 PM UTC
>
> **Account Name**: cchmagyar https://github.com/cchmagyar
>
> ---
>
> I need to update my phone number from 734-492-2720 to 412-463-5615.
> This email is a service from GitHub Support.
> [ZDWDWR-7KK9D]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/accessibility-lunch/attachments/20230119/dbcc706d/attachment.html>