Now that github is mandating that I add 2FA to "secure the supply chain", is there a standard way to say "I am not part of your supply chain"?

@risottobias : I prefer threat modeling over risk management, but in the end we (security people) often overlook simple things.

Like users not looking at domain names in the address bar of their web browser at all, not knowing how to interpret domain names, not knowing about IDN's, and (last but not least) not knowing how to figure out that a given domain name does NOT belong to the organization that the webpage (and preceding message) suggests it belongs to: https://infosec.exchange/@ErikvanStraten/113459213340803062

Phishing is one of the (if not THE) biggest problems on the internet (and MFA using TOTP does not fix that problem).

@adamshostack

#RiskManagement #ThreatModeling #Phishing

@adamshostack : demanding stronger authentication usually has nothing to do with code that *you* publish(ed).

It is intended to make it harder for criminals to publish malicious code (or other information) *in your name*.

The better your reputation, the more interesting you are as a target for impersonation.

#Authentication #Impersonation