How to bypass GitHub's new 'Enable two-factor authentication'.

[PlainName]

What in 'TOTP' doesn't mean 'TOTP'?

Well, whatever. I tried to work it out, even went into the manual which is where I found that a local server install (yuk, no thanks - standalone app is read only, so if your server goes...) still requires a license download. You will probably say it doesn't say that or says it in a different way to what it says. 

[Shonky]

You don't run their server. Don't know about the read only bit. You run vaultwarden which is bitwarden compatible and unlocks most of the premium features. You can backup the server no problem (files are all encrypted on disk). You also have encrypted copies on all of your devices that you sync with.

Anyway you're set with whatever you're using so good luck with that.

[bingo600]

Would this one do ??
https://freeotp.github.io/

/Bingo

[Shonky]

That should work fine. The actual concept is pretty simple. Take a key and store it securely and then mathematically generate a number based on that key and the current time.

So the main things you want to consider IMO:
- how securely the keys are stored on your phone/device - is it encrypted or protected itself?
- keeping backups somehow - some services may be hard to access if you lose your key(s). The services often have recovery codes or other methods for account recovery for this situation. You need to store them somewhere again preferably securely.

[m12lrpv]

And here I am because I just got the github email and was hoping for a bypass. It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password because all that in needed to take an account now is some social engineering to facilitate an esim swap in order to reset a password.

The zealots need to be forced to pay for phones for people to use for 2fa apps. That would end 2fa real quick. It certainly shuts them up at work when they want me to use my phone and I tell them they need to supply the phone because they're not allowed to use mine.

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

[Someone]

It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password

Better read it again, because Github are the good guys here and NOT forcing that (supporting multiple alternatives).

So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time

Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

[Shonky]

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

Congratulations on not understanding how 2FA works. Hint: it's the "2".

[m12lrpv]

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

Incorrect. Github Only allows one of each type. Don't preach about things you don't understand.

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

Congratulations on not understanding how 2FA works. Hint: it's the "2".

Every 2fa is basically 1fa. You're just one password reset request away from full access once that 2fa key is exposed. Congratulations on not understanding the reality of 2fa.

[m12lrpv]

It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password

Better read it again, because Github are the good guys here and NOT forcing that (supporting multiple alternatives).

The percentage of people using the actually secure instances (like yubikeys)  is so small as to make my statement correct. If github start supplying free yubikeys then I will consider that they're making things more secure. SMS, and apps are less secure than a password known only to one person and never written anywhere

So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time

Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

That is not true. How do I go to a random computer and log into github? I either have to have an authentication app on my phone or it's number registered for sms, A physical key i'm carrying with me. The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.

Github 2fa options are one each of Authenticator app, sms, security key, github mobile. You cannot have 3 different authenticator apps registered with github for different devices of the same type. Like say my work computer and 2 of my home computers. It's disingenuous to claim github support multiple devices.

[Someone]

The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.

So you want a solution for two factor without adding anything? Have fun with that.

All the synthetic constraints you choose to add (not installing any software on any device, or having a hardware token) are the problem here, not Github.

So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time

Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

That is not true. How do I go to a random computer and log into github?

By bringing your choice of second factor along, it can be as (in)secure as you like. One solution is you just remember the secret TOPT setup key, just as you would for a password, or write it down. There are RFC 6238 implementations that do not require install (and some even run in a browser if you really want to avoid "apps") and you can bring the key to them as/when you want.

SMS, and apps are less secure than a password known only to one person and never written anywhere

two factor, the second factor only adds to the security of the password, it does not subtract from it. You still provide a password. Just to double check I signed out of Github and when signing back in on the same computer/browser/session it asked for a username and both the password and 2fa.

Your cries of doom (without explaining the arbitrary constraints that led you to them) are the sort of mis-information around 2fa which needs to be stomped out. Github are one of the best examples out there and providing excellent options for people to get on board with 2fa

[Shonky]

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

Incorrect. Github Only allows one of each type. Don't preach about things you don't understand.

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

Congratulations on not understanding how 2FA works. Hint: it's the "2".

Every 2fa is basically 1fa. You're just one password reset request away from full access once that 2fa key is exposed. Congratulations on not understanding the reality of 2fa.

Absolutely you can have the TOTP running on more than one device. Try and understand how TOTP works.

Nope. That's not how the Github password reset works. You need access to email to reset the password which is a third factor. Get it?

[julian1]

Does Gitlab try to monetarize (or carve-out a future right to) their customer's content with AI engines, like co-pilot?

[Noloader]

I received an email warning me I will loose access to my GitHub account unless I enable 2FA....

Now I do not want to give them my private cell phone number to receive the SMS...

I use KDE's KeySmith, <https://apps.kde.org/keysmith/>. It works just fine for M$ 2FA. In fact, I have KeySmith running on two laptops and a desktop. There's no need to run it from a cell phone.

I did not have to install M$ warez, like a closed source app. I did not provide M$ with any personal information, like my cell phone number.

[Karel]

Keysmith works ok, I just installed it in order to be able to continue to access pypi.org:

https://blog.pypi.org/posts/2023-12-13-2fa-enforcement/

Regarding github, I didn't register a phone number but they sent me verification codes to the email address I used for registering in order access.
But I moved to Gitlab anyway years ago already when microsoft put her claws on it. I only login on github if I want to report an issue in somebody else's repo.

[SiliconWizard]

But I moved to Gitlab anyway years ago already when microsoft put her claws on it. I only login on github if I want to report an issue in somebody else's repo.

Yes. Gitlab has a more "aggressive" approach to sales though, as far as I've seen. The free accounts are much more limited than github's ones (which have very few limitations in comparison). That's ok for personal projects usually, but from the limits I've seen, for anything more serious with many contributors, you'd need a paid plan. Not that it's overly expensive, but something to consider. Of course, we know how MS gets its money from, nothing is free.

But as a user (i have no account at Gitlab), you may have some details about that to add.

[magic]

Is there anything in the ToS against putting up your TOTP "secret" in a public repo on GitHub itself?

This gives you access to your "second factor" everywhere you have access to GH, so problem solved and back to square one, right?

[magic]

I only login on github if I want to report an issue in somebody else's repo.

Usually you can do it by email.
If no address is published on their website, look at the git (which you probably already have downloaded anyway at this point).