双重身份验证没用
双重身份验证(2FA)并没有太大用处;它对安全性的提升有限。<p>GitHub 要求使用双重身份验证(尽管不清楚是否对 API 访问也有此要求;我几乎完全依赖 API 访问),但这并没有帮助。此外,设置双重身份验证的方法根本无法正常工作(它会陷入循环),而且其他人也在抱怨这个问题,所以这并不是我一个人的情况。<p>有些人说这可能会降低安全性,这也是有可能的(因为你需要添加其他东西来处理它,包括恢复码)。<p>还有人说这让微软能够监视你,但时间基于一次性密码(TOTP)并不允许任何人监视任何人。有些人说这需要手机,但 TOTP 也不需要手机。<p>实际上,能真正提升 GitHub(或其他 Git 托管服务)安全性的有两样东西:X.509 客户端证书和签名发布(这两者可能应该一起使用)。这两者都不需要 JavaScript,也不会导致你的凭据被窃取。这还有其他优点,例如单点登录。
查看原文
2FA is no good; it does not improve security much.<p>GitHub requires it (although it is unclear if it is required for API access; I almost entirely use the API access anyways), but that doesn't help. Also, the method of setting it up does not even work (it just gets stuck in a loop) (and other people are complaining about this too, so it is not only me).<p>Some people say it may make it less secure, which is possible (since you will need to add other things to handle it, including recovery codes).<p>Some people say it allows Microsoft to spy on you, but TOTP doesn't allow anyone to spy on anyone. Some say it requires a mobile phone, but TOTP does not require that either.<p>What would actually help security on GitHub (or other git hosting services) are two things: X.509 client certificates and signed releases (both should probably be used together). Neither requires JavaScripts, and neither makes it possible to steal your credentials. This also has other advantages, e.g. single-sign-on.