Hacker News new | comments | show | ask | jobs | submit login

I use 2FA with GMail and the same question could be asked. The answer is that an application password does not have admin rights to the account. It can be revoked at any time. It traces the breach directly back to a particular application. They are not meant to be memorized but rather to be set and remembered in a particular application which means they can be extremely complex and are by default. I have to think that at least some of this is applicable to GitHub's 2FA.

Your points are good ones for something like GMail (where a single account allows access to many Google services and includes a potentially huge trove of other private data).

For github though, the the repos you have read (or commit if vandalism is the risk) access to are the data in question, so unless you use your github account for other things, I'm still not really seeing the benefit to the end user if you still have to store OAuth tokens everywhere you actually use git.

Can github issue OAuth tokens that are restricted to a specific repo? At least that would prevent a token leak exposing other repos that you had access to.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact