On Wed, Aug 11, 2021 at 09:50:55AM -0400, Konstantin Ryabitsev wrote: > On Wed, Aug 11, 2021 at 07:00:50PM +0800, lilinchao@xxxxxxxxxx wrote: > > Many websites support two-factor authentication(2FA) to log in, > > like Github, I wander if we can support it in application layer. > > When client clone something, they need input username and > > password, it is like a website login process. For security, we can > > enable 2FA during this process. > > As you well know, "cloning" a repository can be done via any number of > mechanisms: > > 1. locally from another repository on disk > 2. locally, from a git bundle file > 3. remotely, using the anonymous git:// protocol > 4. remotely, using ssh or http(s) protocols > > 2-factor authentication does not make sense in the first three cases (you > already have access to all the objects with 1 and 2, and the git:// protocol > is public and anonymous by design). For the ssh/https scheme, 2fa is already > supported by the underlying protocol, so it does not make sense for git to > implement it again on the application level. It might be helpful to be explicit about what *kind* of two-factor authentication you are interested in. There are multiple different kinds of 2FA systems, including ssh keys stored on a hardware token such as a smartcard or a Yuibikey, U2F Fido systems using a security key, TOTP or HOTP otp systems, etc. Each of these systems have different tradeoffs in terms of ease of use from the user perspective (both from the point of view of initial setup and day-to-day use after getting set up), security against MITM attacks, and ease of integration/deployment from the system administrator's perspective. Cheers, - Ted
