Following some more details, I get to an actually reassuring (to me anyway) claim:
"Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods"
Given that I use GitHub to publish code, I can't lose access to the code - it's published - but I would worry that other people might be able to impersonate me and e.g., publish an update with a backdoor. Or the hypothetical impersonator could write racist garbage in every GitHub issue tracker they can find until the account is terminated, which hurts my reputation.
I think I feel the same about lots of other things. This HN account for example. Amazon. Facebook.
Probably not my bank, and not my government. I want the government to be willing to eat the cost of verifying that yup, I'm me - and never pretend that if that's too expensive it's somehow not their problem. It's disgusting for example that a Tory government destroyed records of who this country had invited from the West Indies in the 1940s and 1950s, then, knowing it no longer had those records, tried to deport people who had no proof of citizenship, arguing they must have come here illegally and should be sent "home" to a country they'd not seen for seventy years...
It looks like Facebook is the partner used and there might be motivation to move away from using them as a partner for identity proofing as part of the identity operation (where as Github could use someone like Stripe Identity instead, with the cost being ~$2 per proofing request [1]).
Tangentially, I support anyone moving away from Facebook for identity purposes.
But this was not a use case that was using proof of real-world identity. How could that service possibly be relevant in any way?
In fact, Github would know nothing about the identity of the Facebook account (and vice versa). This connection would be completely anonymous from both their perspectives. All Github could find out is is that somebody trying to recover the account had access to the preregistered (but unknown) Facebook account. And all Facebook would find out is that a user was recovering some unknown Github account.
There are many paths to account recovery, and using real world identity as the cost comes down is a legitimate path forward versus "Facebook identity."
"Warning: For security reasons, GitHub Support may not be able to restore access to accounts with two-factor authentication enabled if you lose your two-factor authentication credentials or lose access to your account recovery methods"
Given that I use GitHub to publish code, I can't lose access to the code - it's published - but I would worry that other people might be able to impersonate me and e.g., publish an update with a backdoor. Or the hypothetical impersonator could write racist garbage in every GitHub issue tracker they can find until the account is terminated, which hurts my reputation.
I think I feel the same about lots of other things. This HN account for example. Amazon. Facebook.
Probably not my bank, and not my government. I want the government to be willing to eat the cost of verifying that yup, I'm me - and never pretend that if that's too expensive it's somehow not their problem. It's disgusting for example that a Tory government destroyed records of who this country had invited from the West Indies in the 1940s and 1950s, then, knowing it no longer had those records, tried to deport people who had no proof of citizenship, arguing they must have come here illegally and should be sent "home" to a country they'd not seen for seventy years...