How to bypass GitHub's new 'Enable two-factor authentication'.

[Shonky]

Are you saying I need to buy some hardware to access GitHub?
I'm beginning to like 'KE5FX's idea except I know I will never get any traffic with some blind web page out there.

No. You could use SMS or an authenticator app (mobile or Windows based) or the Github mobile app. You're well aware of this. Again you're just ignoring reality because you don't like it.

You want "traffic"? For what? You're happy to use the free service provided but not happy to use it as is?

If you create your own web page/server/whatever you can do what you want with it. That seems like your best option at this point.

[ejeffrey]

Are you saying I need to buy some hardware to access GitHub?

No you need a software or hardware second factor not both. 

It's really not that hard, it's clearly documented.  It's true the most common path involves using smartphone apps and if that's not an option for you you will have to look a bit closer.  Go read the Wikipedia article on TOTP or the GitHub documentation that is linked above.  All the answers are there and it shouldn't take you more than 10 minutes to set up and is available for essentially every platform in existence.

[Jeroen3]

Comparison of OTP applications

[EPAIII]

I looked up GitHub. QUOTE,

"GitHub, Inc. is a platform and cloud-based service for software development and version control using Git, allowing developers to store and manage their code."

So if you want to be a developer, you need to put your code, YOUR CREATION on a cloud based service where others can hack into it and steal it?

Welcome to the new world order!

Why can't a developer just store the code on their own computer until it is time to sell it? And then sell it any way they want? Oh, wait! Oh, wait, that would mean that others won't control it and profit from your work. Yep, I think I have it now.

Gotta run and answer that angry knocking at my door - in the middle of the night. I probably won't be back. Bye!

[RoGeorge]

The USB security key is just a simple USB device with a touch sensor.   It's the most secure option but requires special hardware.  It's not terribly expensive but it isn't free.

Are you saying I need to buy some hardware to access GitHub?
I'm beginning to like 'KE5FX's idea except I know I will never get any traffic with some blind web page out there.

Could self host your files, of course, but if you want some public repository hosting website (without mandatory 2FA), there is GitLab (not GitHub).  GitLab does about the same things as GitHub, it's free for individual users https://about.gitlab.com/pricing/ , and doesn't require 2FA.

Even more, once you'll login into your GitLab account, you can import your project(s) from GitHub into GitLab with a few clicks from the GitLab webpage.  Many users imported their repositories from GitHub to GitLab, and never looked back.  Some also deleted their code from GitHub, others left an unmaintained copy on GitHub, too.

You can try importing your projects into GitLab anyway, whether you get 2FA for GitHub or not, and see if you like it:
https://gitlab.com

[HwAoRrDk]

Hmm... my GitHub account is not linked to a phone number, and I haven't received such an email. I wonder if this is something that's being gradually rolled out to users.

Yes, GitHub are doing a staged roll-out of 2FA to all users throughout 2023.

[madires]

TOTP suggestions for linux users:
- otpclient (small and nifty TOTP tool)
- keepassxc (PW manager, TOTP hidden in the right-click-menu for entries)

[PlainName]

You're being completely inflexible just because you don't like something IMO.

Why does one have to like everything? I bet there is stuff you don't like and are happy to whine about given half a chance, and what is wrong with that? If you don't like something it's not a crime to say so, or feel that way.

[Shonky]

You're being completely inflexible just because you don't like something IMO.

Why does one have to like everything? I bet there is stuff you don't like and are happy to whine about given half a chance, and what is wrong with that? If you don't like something it's not a crime to say so, or feel that way.

Sure but don't just ignore the other options hence my comment about being inflexible. At first it was "I won't use SMS", then it was "I don't know what TOTP is but haven't tried to look", then it was "I have to pay for a hardware key to use Github?" (obviously paraphrased)

As has been offered if he doesn't like what Github want he's perfectly free to take his business elsewhere.

[bitwelder]

TOTP suggestions for linux users:
- otpclient (small and nifty TOTP tool)
- keepassxc (PW manager, TOTP hidden in the right-click-menu for entries)

I'd suggest also oathtool for command-line usage.

[bitwelder]

Password managers like Bitwarden can save the TOTP secret as well as have notes for the recovery keys.

Although, one should consider that this way is keeping all secrets in one basket: if the key to open the password manager is not strong enough or not kept safely enough, one would lose at the same time all the passwords AND all the TOTPs. So much for two-factors.

[Shonky]

Password managers like Bitwarden can save the TOTP secret as well as have notes for the recovery keys.

Although, one should consider that this way is keeping all secrets in one basket: if the key to open the password manager is not strong enough or not kept safely enough, one would lose at the same time all the passwords AND all the TOTPs. So much for two-factors.

Absolutely true it does somewhat make it no longer 2 factor.

You can add 2 factor authentication on unlocking the password store if you wish via email, TOTP and a couple of other methods.

[bingo600]

TOTP suggestions for linux users:
- otpclient (small and nifty TOTP tool)
- keepassxc (PW manager, TOTP hidden in the right-click-menu for entries)

THANX !! 

I just set github OTP w. keepassxc (linux mint)
I didn't even have to use the QR Code , just click on the "Skip" URL , and it'll show you the github TOTP Seed.

"Right click" on your keepassxc github entry, select TOTP , select Setup.
Paste the TOTP seed , let rest be default ... Done

github login
login as usual , user + pass
right click github entry in keepassxc , select TOTP , select Copy TOTP   (Or just hilight the github entry and press CTRL+T)
Paste it in github 2FA "Box"

Edit: You'll find the TOTP (2FA) stuff @github , under "profile -->password"

/Bingo

[PlainName]

right click github entry in keepassxc , select TOTP , select Copy TOTP   (Or just hilight the github entry and press CTRL+T)
Paste it in github 2FA "Box"

That's my problem with this stuff - it's a road bump (and not a small one). For most places I just go there and I'm in. If I had to manually log into everything every time I'd go mad with the amount of stuff that would involve, and most 2FA is exactly that kind of pissing about. (And you're stuffed if you're not at your PC because you cannot remember or otherwise access the 2FA key).

If we were talking about access to Microsoft's internals it would be fair enough, but it's our data and if someone nicks it or corrupts it it's our fault and our tears. Not theirs. I agree with the previously stated viewpoint that when it comes to our stuff it should be our choice. We are grown people who know the risks and can deal with them appropriately (and if we can't then it's our tough shit, that's all).

[abeyer]

Sometimes I read this forum and just shake my head in regret that I didn't take up haberdashery and buy an industrial scale supply of tin foil.

[Halcyon]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why?

It's there to protect you and your account. Cyber attacks are getting increasingly sophisticated and ultimately, people are lazy and use recycled, weak or compromised passwords all the time. Whilst you might use a strong password, doesn't mean that it can't be compromised in a data breach.

People should embrace multifactor authentication as it's here to stay. Its implementation is as difficult as you make it. For me, I use Bitwarden both on my PC and my phone, so I always have my TOTP codes with me, which is tied to my Yubikey that's always in my pocket (or nearby).

[PlainName]

It's there to protect you and your account.

Do you log into your PC? I don't mean do you have a password set up, but do you have to manually enter it every time you go to your PC? I recall that one upon a time at least one Linux distro enforced that, but even they succumbed to allowing auto logon.

Now we're in a highly connected world with IoT providers tunnelling on the LAN, how is that really different to the cloud? There's even more risk here since someone could just not hack and physically sit at the machine.

People should embrace multifactor authentication as it's here to stay

You'll change your mind when you have to do 2FA instead of swiping to access your phone

[madires]

Unfortunately, not everyone is grown up and is able to assess the risks. So someone tries to help (or force) those experts to follow best current practice. If a widely used library is affected you'll have a nice supply attack wreaking havoc.

[Halcyon]

It's there to protect you and your account.

Do you log into your PC? I don't mean do you have a password set up, but do you have to manually enter it every time you go to your PC? I recall that one upon a time at least one Linux distro enforced that, but even they succumbed to allowing auto logon.

Now we're in a highly connected world with IoT providers tunnelling on the LAN, how is that really different to the cloud? There's even more risk here since someone could just not hack and physically sit at the machine.

People should embrace multifactor authentication as it's here to stay

You'll change your mind when you have to do 2FA instead of swiping to access your phone

Yes, I login to my PC manually every time I sit down at the chair. It takes 2 seconds. Even when I'm switching between users, I enter the password each time.

As for TOTP codes, even on my phone Bitwarden automatically copies them to clipboard for me when I'm logging into a site/service that requires it. It's extremely simple to use and doesn't require swapping between applications.

[PlainName]

Bitwarden

Great that it works for you. It won't for me because it's online and doesn't support Windows 7. I have no desire to swap my open source existing solution for another more onerous open source solution, just as you no doubt wouldn't want to use some of the stuff that I would rave about.

[And TOTP is a paid option, and even self-hosting requires online license download. Fail to pay, no more bitwarden for you. No thanks - I want secure password store, not reliant on some paid cloud thing.]

[Halcyon]

Bitwarden

Great that it works for you. It won't for me because it's online and doesn't support Windows 7. I have no desire to swap my open source existing solution for another more onerous open source solution, just as you no doubt wouldn't want to use some of the stuff that I would rave about.

My point is, MFA doesn't have to be cumbersome. It's as cumbersome as you make it. I'm not suggesting everyone go out and use Bitwarden (which by the way can be used entirely offline), there are plenty of other solutions out there.

[PlainName]

Yes, there are other solutions. I am using one. But they are still a pain in the arse compared to not having to use them. It should be my choice, that's all.

[Shonky]

[And TOTP is a paid option

Nope, authenticator app is included in the free version

even self-hosting requires online license download. Fail to pay, no more bitwarden for you

Nope there is no license involved for vaultwarden. Nothing to pay if you self host vaultwarden

No thanks - I want secure password store, not reliant on some paid cloud thing.]

It is secure but you don't really care that much about security since you're still on Windows 7 yeah? Saying one solution is more onerous than another is entirely arbitrary particularly if you've clearly not even tried it.

[PlainName]

I can only go by what they try  to sell me.

[Shonky]

I can only go by what they try  to sell me.

Derp. Ok yes you can't store TOTP in Bitwarden for free unless you self host. I was wrong.

The 2 step login is only for unlocking.