Comment by abxyz

Comment by abxyz 19 hours ago

25 replies

View on Hacker News

> I can't, however, provide any 2FA codes or backup codes because they are printed on paper that has, I assume, been destroyed.

The situation you are in is very unfortunate and I am sympathetic but in GitHub's defence, this is exactly what I hope would happen when I enable 2FA. I would be very perturbed to find out that GitHub would grant access to my account given identity documents. There are some creative solutions (e.g: a countdown to the reset with progressively more aggressive email notifications to ensure the account holder is aware) but even they are problematic. So, this sucks, but it's the price we pay for security.

joshmn 19 hours ago

That's the same stance I have and why I'm torn. The little quirk here—where it makes slightly more sense—is that they received a legal notice at one point (from the US Government) about my account, there are plenty of online articles to corroborate me as me, and I have a fancy prison release ID that can help me identify me. Unfortunately this context is probably lost on the individuals who work their Zendesk.

The policies are rather draconian as others have mentioned. Anyone could be the victim of theft; mine just has an awkward paper trail attached to it.

Reply View 18 replies
  • abxyz 18 hours ago

    I think the disconnect between you and GitHub support is that you're positioning this as a problem of proving your identity whereas for GitHub support it is a policy. The GitHub policy is: you lose your 2FA, you lose your account. Verifying your identity is not relevant. GitHub provides extensive tooling to protect your account (multiple methods of 2FA, recovery codes etc.) and so from their perspective, while this is deeply unfortunate, the policy is very clear and allowing you access to the account would be a major security issue (not for your account specifically, but for GitHub as an organization).

    edit: https://docs.github.com/en/site-policy/other-site-policies/g...

    Reply View 15 replies
    • ryandrake 18 hours ago

      These (for good reason) draconian policies are the reason I am still hesitant to embrace 2FA. I understand the significant improvement in your security posture, and I would not want someone not-me to be able to reset my credentials. But the failure mode is just too catastrophic. You lose one thing and you are shit out of luck.

      We need something better. I don't know what it would be.

      Reply View 11 replies
      • cxr 10 hours ago

        > We need something better. I don't know what it would be.

        Choosing a long, very secure password for your account works really, really well. GitHub hates this, however, and nudges toward less secure practices that are more likely to result in the sorts of compromises described in this thread.

        Reply View 0 replies
      • alwa 18 hours ago

        I for one would appreciate the option to put an ID on file ahead of time, at least for important stuff like this. I like digital-only accounts for play, but for work stuff with real-world consequence, I’d like to link it to a real-world identity system…

        Not unlike the signature cards banks used long ago, I guess.

        Sure, maybe somebody motivated could defraud the government into issuing them a replacement ID in my name. But that’s big boy crime, not a casual “bribe a retail employee to SIM swap” kind of undertaking.

        Sure, there are issues of access to government ID systems, and I know anything touching government names / “show me your papers” raises hackers’ hackles—I’m not saying require it, just that I’d choose it if it were a MFA option of last resort.

        Reply View 8 replies
      • saint_yossarian 18 hours ago

        You can use a TOTP authenticator with backup support (I use Aegis on Android, and less critical ones in Bitwarden), and backup your recovery codes.

        Reply View 0 replies
    • michaelmior 18 hours ago

      Part of the problem here is that there is no prior association of an identity with an account. So proving who you are is somewhat irrelevant since even if the account has your name, email, and photo, that's no guarantee that the account was created by you. If identity verification were required ahead of time, then perhaps verifying identity after loss of access could be reasonable recovery method. But of course there are many reasons why requiring such verification is problematic.

      Reply View 0 replies
    • amatecha 18 hours ago

      Someone high enough in the food chain at GitHub can override that policy at their whim. I have personally had my day saved by that very "loophole" in another "lost access to an online service" situation in the past.

      Reply View 0 replies
    • MrGilbert 18 hours ago

      I'd assume that there is simply no "ok, this individual got released from prison and can proof everything" policy in place, and that might be the real issue here. Big organizations begin to tumble once you request something where there are no policies in place.

      Reply View 0 replies
  • werkwolk 5 hours ago

    Why do I feel most of this is ai created text...whoever is posting will probably adjust their prompt, but who uses '-' mid text?

    Reply View 0 replies
  • hluska 18 hours ago

    I’m not sure that blaming tech support for not understanding context is the best approach here. The other sides of that context, which are understandable from their point of view, is that you were charged with some serious crimes. There’s a large delta between the charges and the conviction, but you’ve got some scary words written about you online. Secondarily, GitHub has policy so whereas you’re coming at it from a position of being correct, they’re in a position where they have to break policy. That’s a big risk.

    Your best bet would likely be legal. US Federal law imposes some strict rules on lawyers for identity verification to combat money laundering so attorneys have a legally recognized toolkit to verify identity. Having a third party who works for you in the mix could help. Though again, it would involve breaking their policy so this would be a decision made several layers above Zendesk access.

    Otherwise, I think this is doing precisely what 2FA is meant to do. It’s not okay for you and you’ve clearly lost a lot because of this, but with the current threat environment, GitHub has to be very careful especially with 2FA. From their point of view, there likely isn’t that big of a gap between your interactions and interactions with people who are trying to take over accounts. A lawyer may not work, but it sure changes that equation.

    Reply View 0 replies
zerr 18 hours ago

The person should be able to walk in the service provider's office and get an in-person help, restoration of access, by presenting ID docs.

Reply View 0 replies
kramer2718 17 hours ago

I agree that simply emailing in copies of identity documents after the fact shouldn't be sufficient. However, there should be a verification process that includes verification of identity documents through legal means, including perhaps a processing fee. The fee would preclude many attackers from even trying to break this process.

Maybe this would only work for new accounts as you'd probably need to provide identity information on before losing access.

Reply View 0 replies
Retr0id 18 hours ago

As a matter of policy, sure. But at the same time, I bet there are some GitHub employees reading this that would be in a position to pull some strings and make an exception. For OP's sake, I hope I'm right!

Reply View 3 replies