How to bypass GitHub's new 'Enable two-factor authentication'.

[BrianHG]

I received an email warning me I will loose access to my GitHub account unless I enable 2FA.

Now I do not want to give them my private cell phone number to receive the SMS.

Also, I don't have anything to scan the QR code.

Do I just give up and abandon my repository?

[madires]

I've set up TOTP using a desktop TOTP tool without any problems (and QR code).

https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication:

If you can't scan the QR code, click enter this text code to see a code that you can manually enter in your TOTP app instead.

[ejeffrey]

I have use both TOTP and Yubikey tokens with github for years with no problem.  I did scan the QR code to set up TOTP but you don't have to.  The yubikey does cost $30, but you can use the same one for multiple services, and I use it whenever possible.

[tom66]

2FA doesn't require SMS with Github, they also support Authy, 1Password etc.

[RoGeorge]

Since the mandatory 2FA, I don't login any longer in github, too.

You can make a gitlab.com account, and import all your projects there.  In gitlab the 2FA is optional.

[SiliconWizard]

I have use both TOTP and Yubikey tokens with github for years with no problem.  I did scan the QR code to set up TOTP but you don't have to.  The yubikey does cost $30, but you can use the same one for multiple services, and I use it whenever possible.

Same thing here. I'm using a security key that is not from Yubikey (not the only brand out there!), but oither than this exactly the same. Never gave away my phone number.

Staying away from github is a good idea in general if you can - I'm just using it when I have to (with some clients that require it) but otherwise I use other services.
That said, 2FA is going to become more or less the norm, so you better get used to it. TOTP and security keys work just fine. The only thing is - try not to lose your keys, and have several just in case.

[Shonky]

TOTP as mentioned and save the ecovery keys too. You don't need multiple keys.

Password managers like Bitwarden can save the TOTP secret as well as have notes for the recovery keys.

Not really sure what the big deal is here.

/thread.

[Veteran68]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted. You don't have to use SMS (in fact SMS is probably the least secure way to 2FA) or QR codes. If like most of us you always have a smartphone with you, you can use one of the aforementioned authentication apps. I've used a few including Authy but have settled on Microsoft Authenticator running on my iPhone.

Speaking of QR and smartphones, any recent vintage phone should be able to scan a QR code through your phone's standard camera feature, or at worst a separate QR app. Or is your issue that you don't use a smartphone? In that case, a Yubikey or other external authentication device is probably the way to go.

[RoGeorge]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

[PlainName]

[2FA] really shouldn't be feared or resisted.

The problem I have with it is it's just a colossal pain in the arse every time I want to briefly log in. Once browsers can auto-fill like they can with passwords then it'll be not so bad, but then that defeats the 2FA point.

[Shonky]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

[Veteran68]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Well I'll strongly argue that it won't be optional with many providers much longer, and here's why. It isn't just a matter of your own inconvenience and data/financial loss should your account be compromised, it's a huge cost and liability to the service provider. Whether from loss of their own IP data, or customer data leading to loss of customer trust, or infrastructure costs to remediate the breach, or huge fines from laws like GDPR around PII and PCI data, businesses are being forced to take cybersecurity seriously and demonstrate steps to shore up their security, or suffer the consequences. It's now a huge business liability, and the bigger the business, the bigger the risk. GDPR alone can leverage a fine of up to 20M Euro or 4% of gross revenue, whichever is greater, for serious violations. Part of what auditors look for when determining liability is what steps are taken to reduce the security risk. MFA/2FA is one of the easiest ways to do this, that alone takes a lot of risk off the table.

It's only a matter of time. My company implemented it a couple of years ago for employee authentications. Due to my profession and online activity I have become so accustomed to MFA that I tend to be surprised when it's not offered, particularly by larger companies.

[KE5FX]

Yeah, everybody has the same threat model, right.  We all work for the NSA now.  So where's my SCIF and shoulder holster? 

[BrianHG]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

My choices for 2FA aren't my choice.  For example, I couldn't provide a second email address.  I basically have to own a cell phone or some kind of device which could scan and understand a QR code.  Otherwise, why couldn't my web browser just look at the QR code and provide it's own answer.  What if I only have a land line, no cell phone.

[Shonky]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

My choices for 2FA aren't my choice.  For example, I couldn't provide a second email address.  I basically have to own a cell phone or some kind of device which could scan and understand a QR code.  Otherwise, why couldn't my web browser just look at the QR code and provide it's own answer.  What if I only have a land line, no cell phone.

Except what you're complaining about is not how it is at all. You don't need a cell phone, but I bet you have one so you're just arguing for the sake of it.

There's even a specific statement right below the QR code that says: "Unable to scan? You can use the setup key to manually configure your authenticator app".

Why aren't you complaining because your web browser can't "just look at the QR code and provide it's own answer." Not how 2FA works really but that's beside the point

You just want to complain because you don't like it and are happy to ignore what has actually been implemented.

[BrianHG]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

My choices for 2FA aren't my choice.  For example, I couldn't provide a second email address.  I basically have to own a cell phone or some kind of device which could scan and understand a QR code.  Otherwise, why couldn't my web browser just look at the QR code and provide it's own answer.  What if I only have a land line, no cell phone.

Except what you're complaining about is not how it is at all. You don't need a cell phone, but I bet you have one so you're just arguing for the sake of it.

I do have a private old no-app style cell phone for family emergencies, and it is not always with me.

There's even a specific statement right below the QR code that says: "Unable to scan? You can use the setup key to manually configure your authenticator app".

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

Why aren't you complaining because your web browser can't "just look at the QR code and provide it's own answer." Not how 2FA works really but that's beside the point

You just want to complain because you don't like it and are happy to ignore what has actually been implemented.

No, I just not complaining.  I just want a solution where I can make my PC log into GitHub as I do now.  I don't mind working with a window's software install as long as it's nothing like a few 1's of megabytes or more to log in, but this is getting silly.

I will try looking for a windows install of TOTP to see if I can make that work.  But if I need special usb key or PC hardware, that probably wont work as my PC hardware is a decade old.

[Peabody]

I downloaded WinAuth specifically for use at Github.  It's a Windows desktop app.  I was told it could be used at Github without a phone, but haven't actually tried it yet.

[Someone]

Except what you're complaining about is not how it is at all. You don't need a cell phone, but I bet you have one so you're just arguing for the sake of it.

There's even a specific statement right below the QR code that says: "Unable to scan? You can use the setup key to manually configure your authenticator app".

I can see both sides to this.
Github (as with most platforms deploying 2FA) make the assumption that 99.9% of end users will prefer to use their mobile phone and install an app for the 2FA. All their language and guides tell the user this is the way to do it. Nowhere that I have seen in the Github documentation is there any mention that "when we say app, there is also a range of desktop software that can do the job too".

so the confusion for someone (such as BrianHG) who cant/won't use a phone, and isn't familiar with 2FA seems reasonable here

Github are providing many choices to the user, but they don't want to be on the hook for supporting all the possible implementations. I like their approach and it just needs a little line sprinkled through the documentation something like "we're using standard protocols for our 2FA and there are a range of 3rd party solutions for providing the additional authentication"

[Shonky]

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

Did you kick up a similar fuss when git became the version control of choice? What's git? What's a rebase? What's a push?

You're being completely inflexible just because you don't like something IMO.

I really do not think it unreasonable for someone using a service like Github to have the ability to understand a 2 factor authentication method. You know how to use Google right? Windows TOTP or Windows 2FA gives numerous options

And frankly the SMS method you're railing against is the option for those that don't want to use an authenticator app or in your case has a complete lack of knowledge on the subject and an apparent unwillingness to even try and learn. And whilst it is absolutely better than nothing, it has its own risks.

There are four different 2FA methods in Github - auth app, SMS, security key or Github app. Based on your current stance you should stop using Github and find another free service.

[BrianHG]

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

What's a rebase? What's a push?

Actually I still do not know what is a rebase or what a push does.  Whan I google for an answer, I get meaningless drab.

All I have done was create some HDL code to share and post it on a GitHub repository.  I just wanted to share some original code.

[ejeffrey]

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

TOTP https://en.m.wikipedia.org/wiki/Time-based_one-time_password

It's a standard protocol for generating time limited single use passwords.  If you scroll down to the bottom of the Wikipedia page there is a link to a client comparison page that will tell you what options support what platforms.  There are many available for windows, Linux, MacOS, android, and iPhone.  You can set them up using a QR code or by manually entering a code provided by the server.

After that, when you authenticate it will ask you for a code.  You open the app and type in the number shown.  Someone who snoops the code can't get the next code.

I will try looking for a windows install of TOTP to see if I can make that work.  But if I need special usb key or PC hardware, that probably wont work as my PC hardware is a decade old.

You only need one or the other although GitHub lets you set up multiple authentication options if you want.  The USB security key is just a simple USB device with a touch sensor. Any computer with a USB port will work fine, so pretty much anything from this millennium.  You also need a browser that is not ancient but I think Firefox has supported U2F tokens for ~5 years now.  The advantage of U2F is that the authentication can't be phished, it authenticates your browser directly to the server so it protects against man in the middle / fake login pages.  It's the most secure option but requires special hardware.  It's not terribly expensive but it isn't free.

[Shonky]

Github are providing many choices to the user, but they don't want to be on the hook for supporting all the possible implementations. I like their approach and it just needs a little line sprinkled through the documentation something like "we're using standard protocols for our 2FA and there are a range of 3rd party solutions for providing the additional authentication"

Just on this, in the "Passwords and authentication" tab it says:

Two-factor authentication
Two-factor authentication adds an additional layer of security to your account by requiring more than just a password to sign in. Learn more about two-factor authentication.

And "Learn more about two-factor authentication." links to https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication with plenty of details for options to use. There is a heap of info there with options.

https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication

[KE5FX]

All I have done was create some HDL code to share and post it on a GitHub repository.  I just wanted to share some original code.

Do what I still do, just upload it to a static page somewhere.  We don't need no steeeeenkin' SSL or no steeeeeenkin' 2FA.

[ixfd64]

Hmm... my GitHub account is not linked to a phone number, and I haven't received such an email. I wonder if this is something that's being gradually rolled out to users.

[BrianHG]

The USB security key is just a simple USB device with a touch sensor.   It's the most secure option but requires special hardware.  It's not terribly expensive but it isn't free.

Are you saying I need to buy some hardware to access GitHub?
I'm beginning to like 'KE5FX's idea except I know I will never get any traffic with some blind web page out there.