PBXg33k
commented
5 years ago Contacted GitHub regarding this and received the following response. Sent a follow up mail, waiting for response.
Hey there,
Thanks for reaching out!
After a period of inactivity, you'll be prompted to enter your password anytime
you attempt to view sensitive account or repository settings. After that password
is provided, it's not necessary to enter it again unless another period of inactivity occurs.
This is described here:
https://help.github.com/articles/sudo-mode
If you entered your password at all in the hours leading up to accessing your account's
two-factor authentication settings, you should not have been prompted for a password -
your account would already have been in Sudo mode.
Should you have any lingering questions or concerns, don't hesitate to let me know!
Best,
{redacted}
KLuuKer
I would expect the TFA settings to be handled the same way as the SSH keys settings regarding to security/sensitivity.
I noticed i was able to change my TFA device without having to validate my account as it was already logged into on my private machines. In my case i needed to update my TFA device since it got replaced, but i would image it could be possible for someone with less genuine intentions to take over an account if it were logged in on a device.
Adding SSH keys always require the user to enter his/her password in order to authenticate the user, even if the user's already logged in. Shouldn't TFA be handled the same way?