It’s not that the gp is trying to avoid being secure.
It’s that for a service that you only have a need for, a few times a year, mandating 2FA is an unnecessary hassle that can lead to user frustration.
I’ve experienced the same with Gitlab. I rarely use Gitlab and don’t have anything important hosted there but when a project I was a member of enabled 2FA for all contributors, it made my Gitlab account completely frustrating to use.
Typical scenario: I’m trying to do something brief on Gitlab that requires me to be logged in so I login then get shown an interstitial page saying I cannot proceed until I enable 2FA on my Gitlab account. Every action I attempt while logged in will fail unless I either enable 2FA or remove myself from the project that enabled mandatory 2FA after I was added.
GitHub’s 2FA implementation is night and day better than Gitlab’s but I imagine the user frustration must be similar if you find yourself suddenly having to enable 2FA because a GitHub org you were already part of mandates it.
True, but the alternative is that people with valuable projects to secure don't do that (because they aren't forced to), and lose things.
That said, the sign-in flow with a Passkey and BitWarden is great. Click "sign in with a passkey", click "confirm", done. No username, password, or 2FA required.
One day I hope BitWarden implement my suggestion of not requiring that second click if you only have one key.
Maybe they could have offered me the choice to "uncontribute" to that project, that is transfer my commits to the admin or to another account of mine that I would create, transfer the commits to and never access again after then. Then no more 2FA for opening issues and commenting on other projects.
I wonder if I can delete my account and create it anew with the same email and (probably) a different username.
