Re: [QUESTION]Is it possible that git would support two-factor authentication?

["Theodore Ts'o" <tytso@mit.edu>]

On Wed, Aug 11, 2021 at 09:50:55AM -0400, Konstantin Ryabitsev wrote:
> On Wed, Aug 11, 2021 at 07:00:50PM +0800, lilinchao@oschina.cn wrote:
> > Many websites support two-factor authentication(2FA) to log in,
> > like Github, I wander if we can support it in application layer.
> > When client clone something, they need  input username and
> > password, it is like a website login process. For security, we can
> > enable  2FA during this process.
> 
> As you well know, "cloning" a repository can be done via any number of
> mechanisms:
> 
> 1. locally from another repository on disk
> 2. locally, from a git bundle file
> 3. remotely, using the anonymous git:// protocol
> 4. remotely, using ssh or http(s) protocols
> 
> 2-factor authentication does not make sense in the first three cases (you
> already have access to all the objects with 1 and 2, and the git:// protocol
> is public and anonymous by design). For the ssh/https scheme, 2fa is already
> supported by the underlying protocol, so it does not make sense for git to
> implement it again on the application level.

It might be helpful to be explicit about what *kind* of two-factor
authentication you are interested in.  There are multiple different
kinds of 2FA systems, including ssh keys stored on a hardware token
such as a smartcard or a Yuibikey, U2F Fido systems using a security
key, TOTP or HOTP otp systems, etc.

Each of these systems have different tradeoffs in terms of ease of use
from the user perspective (both from the point of view of initial
setup and day-to-day use after getting set up), security against MITM
attacks, and ease of integration/deployment from the system
administrator's perspective.

Cheers,

						- Ted