1

Whenever I try to login to github from a different ubuntu machine on the same network, it prompts me to provide a device verification code.

How does github understand that I am logging in from a different device since I am using same os/version/source-ip ?

Is there a way to spoof the deviceId so that I stop getting this prompt?

Marinos An
  • 9,481
  • 6
  • 63
  • 96

1 Answers1

1

I don't know exactly what technique GitHub uses, but it's likely a cookie in your browser or some other sort of local storage. It is known that if you clear your cookies that the prompt will reoccur.

This technique exists to avoid problems with weak or compromised passwords which can lead to account takeovers. An attacker would have to have both the account password and access to the email account, which is somewhat more difficult.

There is no way to avoid this, since the goal is to ensure that you have more than just the password to log into the account. If you enable two-factor authentication, however, that will disable device verification, since you already have something more than just the password to log in.

Even if you don't care about your account's security, GitHub does, since compromised accounts are a source of abuse and spam. This is unfortunately a global problem on the Internet today.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • 1
    Thank you for the answer. "Even if you don't care about your account's security, GitHub does": It's a matter of balance between user experience and security. e.g. It is very easy to create a secure system that is inaccessible by the users, and then blame users for not being able to access it. [Community response](https://github.community/t5/How-to-use-Git-and-GitHub/Disable-Remove-email-quot-Device-verification-quot-prompt-on/td-p/28938) – Marinos An Mar 23 '20 at 11:57
  • Sure, there's a tradeoff here. In this case, 2FA probably involves a better experience if you're switching machines a lot, but the device verification is no more onerous than 2FA, and that's a standard security practice. I turn on 2FA because _I_ want my accounts to be secure. – bk2204 Mar 23 '20 at 22:32
  • 1
    github 2FA has a tradeoff. Providing your cell phone number. – Marinos An Mar 24 '20 at 16:45
  • 1
    GitHub provides multiple 2FA forms that don't require a cell phone number. You can use an app like Authy or Google Authenticator or a security key like a Yubikey. In fact, there are countries where GitHub can't do SMS 2FA, so a phone number is definitely not required. – bk2204 Mar 24 '20 at 22:48
  • The given community response was deleted from the github community, so I cannot read it. – user3471872 Sep 19 '22 at 11:26
  • Also, I **do** care for security. That's why I don't use weak passwords. I also use lots of different browsers on different machines and they normally delete cookies and browser data when the last tab was closed. - So it's most annoying to be bothered with a newly detected device on every single log-in! – user3471872 Sep 19 '22 at 11:32
  • GitHub is [going to require most accounts to use 2FA by the end of 2023](https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/). If you adopt that best practice now, then your problem goes away. Both TOTP and YubiKeys are very easy to use. – bk2204 Sep 19 '22 at 12:18
  • 1
    Besides the fact that YubiKey does not sound like true security (I've learned in school that "security through obscurity" means **no** security at all [and no trust], because it violates Kerckhoffs's principle.), does this mean, I will have to use some kind of TAN procedure for every comment or issue I want to add??? I'm not working on any projects, I only help developers by creating bug reports, making proposals for solutions and so on. I would regard it as overkill to use some kind of TAN generator just for that. – user3471872 Sep 19 '22 at 17:45
  • A YubiKey with WebAuthn is actually the most secure option and is the only phishing-resistant option. If you read the article, it says that only people pushing code need 2FA, and it will only be required for logging in. If you have more questions or concerns about 2FA methods and their security, please take it to Information Security StackExchange instead of the comments here, which are too small to explain things properly. – bk2204 Sep 19 '22 at 17:52