How to bypass GitHub's new 'Enable two-factor authentication'.

[BrianHG]

I received an email warning me I will loose access to my GitHub account unless I enable 2FA.

Now I do not want to give them my private cell phone number to receive the SMS.

Also, I don't have anything to scan the QR code.

Do I just give up and abandon my repository?

[madires]

I've set up TOTP using a desktop TOTP tool without any problems (and QR code).

https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication:

If you can't scan the QR code, click enter this text code to see a code that you can manually enter in your TOTP app instead.

[ejeffrey]

I have use both TOTP and Yubikey tokens with github for years with no problem.  I did scan the QR code to set up TOTP but you don't have to.  The yubikey does cost $30, but you can use the same one for multiple services, and I use it whenever possible.

[tom66]

2FA doesn't require SMS with Github, they also support Authy, 1Password etc.

[RoGeorge]

Since the mandatory 2FA, I don't login any longer in github, too.

You can make a gitlab.com account, and import all your projects there.  In gitlab the 2FA is optional.

[SiliconWizard]

I have use both TOTP and Yubikey tokens with github for years with no problem.  I did scan the QR code to set up TOTP but you don't have to.  The yubikey does cost $30, but you can use the same one for multiple services, and I use it whenever possible.

Same thing here. I'm using a security key that is not from Yubikey (not the only brand out there!), but oither than this exactly the same. Never gave away my phone number.

Staying away from github is a good idea in general if you can - I'm just using it when I have to (with some clients that require it) but otherwise I use other services.
That said, 2FA is going to become more or less the norm, so you better get used to it. TOTP and security keys work just fine. The only thing is - try not to lose your keys, and have several just in case.

[Shonky]

TOTP as mentioned and save the ecovery keys too. You don't need multiple keys.

Password managers like Bitwarden can save the TOTP secret as well as have notes for the recovery keys.

Not really sure what the big deal is here.

/thread.

[Veteran68]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted. You don't have to use SMS (in fact SMS is probably the least secure way to 2FA) or QR codes. If like most of us you always have a smartphone with you, you can use one of the aforementioned authentication apps. I've used a few including Authy but have settled on Microsoft Authenticator running on my iPhone.

Speaking of QR and smartphones, any recent vintage phone should be able to scan a QR code through your phone's standard camera feature, or at worst a separate QR app. Or is your issue that you don't use a smartphone? In that case, a Yubikey or other external authentication device is probably the way to go.

[RoGeorge]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

[PlainName]

[2FA] really shouldn't be feared or resisted.

The problem I have with it is it's just a colossal pain in the arse every time I want to briefly log in. Once browsers can auto-fill like they can with passwords then it'll be not so bad, but then that defeats the 2FA point.

[Shonky]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

[Veteran68]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Well I'll strongly argue that it won't be optional with many providers much longer, and here's why. It isn't just a matter of your own inconvenience and data/financial loss should your account be compromised, it's a huge cost and liability to the service provider. Whether from loss of their own IP data, or customer data leading to loss of customer trust, or infrastructure costs to remediate the breach, or huge fines from laws like GDPR around PII and PCI data, businesses are being forced to take cybersecurity seriously and demonstrate steps to shore up their security, or suffer the consequences. It's now a huge business liability, and the bigger the business, the bigger the risk. GDPR alone can leverage a fine of up to 20M Euro or 4% of gross revenue, whichever is greater, for serious violations. Part of what auditors look for when determining liability is what steps are taken to reduce the security risk. MFA/2FA is one of the easiest ways to do this, that alone takes a lot of risk off the table.

It's only a matter of time. My company implemented it a couple of years ago for employee authentications. Due to my profession and online activity I have become so accustomed to MFA that I tend to be surprised when it's not offered, particularly by larger companies.

[KE5FX]

Yeah, everybody has the same threat model, right.  We all work for the NSA now.  So where's my SCIF and shoulder holster? 

[BrianHG]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

My choices for 2FA aren't my choice.  For example, I couldn't provide a second email address.  I basically have to own a cell phone or some kind of device which could scan and understand a QR code.  Otherwise, why couldn't my web browser just look at the QR code and provide it's own answer.  What if I only have a land line, no cell phone.

[Shonky]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

My choices for 2FA aren't my choice.  For example, I couldn't provide a second email address.  I basically have to own a cell phone or some kind of device which could scan and understand a QR code.  Otherwise, why couldn't my web browser just look at the QR code and provide it's own answer.  What if I only have a land line, no cell phone.

Except what you're complaining about is not how it is at all. You don't need a cell phone, but I bet you have one so you're just arguing for the sake of it.

There's even a specific statement right below the QR code that says: "Unable to scan? You can use the setup key to manually configure your authenticator app".

Why aren't you complaining because your web browser can't "just look at the QR code and provide it's own answer." Not how 2FA works really but that's beside the point

You just want to complain because you don't like it and are happy to ignore what has actually been implemented.

[BrianHG]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why? They're providing a service. They want it secure to protect your account and them.

You're making a mountain out of a molehill.

Bitwarden already essentially autofills. I'm sure other password managers do also. It's really a non issue except for those who want to complain about anything.

My choices for 2FA aren't my choice.  For example, I couldn't provide a second email address.  I basically have to own a cell phone or some kind of device which could scan and understand a QR code.  Otherwise, why couldn't my web browser just look at the QR code and provide it's own answer.  What if I only have a land line, no cell phone.

Except what you're complaining about is not how it is at all. You don't need a cell phone, but I bet you have one so you're just arguing for the sake of it.

I do have a private old no-app style cell phone for family emergencies, and it is not always with me.

There's even a specific statement right below the QR code that says: "Unable to scan? You can use the setup key to manually configure your authenticator app".

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

Why aren't you complaining because your web browser can't "just look at the QR code and provide it's own answer." Not how 2FA works really but that's beside the point

You just want to complain because you don't like it and are happy to ignore what has actually been implemented.

No, I just not complaining.  I just want a solution where I can make my PC log into GitHub as I do now.  I don't mind working with a window's software install as long as it's nothing like a few 1's of megabytes or more to log in, but this is getting silly.

I will try looking for a windows install of TOTP to see if I can make that work.  But if I need special usb key or PC hardware, that probably wont work as my PC hardware is a decade old.

[Peabody]

I downloaded WinAuth specifically for use at Github.  It's a Windows desktop app.  I was told it could be used at Github without a phone, but haven't actually tried it yet.

[Someone]

Except what you're complaining about is not how it is at all. You don't need a cell phone, but I bet you have one so you're just arguing for the sake of it.

There's even a specific statement right below the QR code that says: "Unable to scan? You can use the setup key to manually configure your authenticator app".

I can see both sides to this.
Github (as with most platforms deploying 2FA) make the assumption that 99.9% of end users will prefer to use their mobile phone and install an app for the 2FA. All their language and guides tell the user this is the way to do it. Nowhere that I have seen in the Github documentation is there any mention that "when we say app, there is also a range of desktop software that can do the job too".

so the confusion for someone (such as BrianHG) who cant/won't use a phone, and isn't familiar with 2FA seems reasonable here

Github are providing many choices to the user, but they don't want to be on the hook for supporting all the possible implementations. I like their approach and it just needs a little line sprinkled through the documentation something like "we're using standard protocols for our 2FA and there are a range of 3rd party solutions for providing the additional authentication"

[Shonky]

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

Did you kick up a similar fuss when git became the version control of choice? What's git? What's a rebase? What's a push?

You're being completely inflexible just because you don't like something IMO.

I really do not think it unreasonable for someone using a service like Github to have the ability to understand a 2 factor authentication method. You know how to use Google right? Windows TOTP or Windows 2FA gives numerous options

And frankly the SMS method you're railing against is the option for those that don't want to use an authenticator app or in your case has a complete lack of knowledge on the subject and an apparent unwillingness to even try and learn. And whilst it is absolutely better than nothing, it has its own risks.

There are four different 2FA methods in Github - auth app, SMS, security key or Github app. Based on your current stance you should stop using Github and find another free service.

[BrianHG]

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

What's a rebase? What's a push?

Actually I still do not know what is a rebase or what a push does.  Whan I google for an answer, I get meaningless drab.

All I have done was create some HDL code to share and post it on a GitHub repository.  I just wanted to share some original code.

[ejeffrey]

What's an authenticator app?
Is it something I install on my PC?
Is it something I add to my FireFox browser?

TOTP https://en.m.wikipedia.org/wiki/Time-based_one-time_password

It's a standard protocol for generating time limited single use passwords.  If you scroll down to the bottom of the Wikipedia page there is a link to a client comparison page that will tell you what options support what platforms.  There are many available for windows, Linux, MacOS, android, and iPhone.  You can set them up using a QR code or by manually entering a code provided by the server.

After that, when you authenticate it will ask you for a code.  You open the app and type in the number shown.  Someone who snoops the code can't get the next code.

I will try looking for a windows install of TOTP to see if I can make that work.  But if I need special usb key or PC hardware, that probably wont work as my PC hardware is a decade old.

You only need one or the other although GitHub lets you set up multiple authentication options if you want.  The USB security key is just a simple USB device with a touch sensor. Any computer with a USB port will work fine, so pretty much anything from this millennium.  You also need a browser that is not ancient but I think Firefox has supported U2F tokens for ~5 years now.  The advantage of U2F is that the authentication can't be phished, it authenticates your browser directly to the server so it protects against man in the middle / fake login pages.  It's the most secure option but requires special hardware.  It's not terribly expensive but it isn't free.

[Shonky]

Github are providing many choices to the user, but they don't want to be on the hook for supporting all the possible implementations. I like their approach and it just needs a little line sprinkled through the documentation something like "we're using standard protocols for our 2FA and there are a range of 3rd party solutions for providing the additional authentication"

Just on this, in the "Passwords and authentication" tab it says:

Two-factor authentication
Two-factor authentication adds an additional layer of security to your account by requiring more than just a password to sign in. Learn more about two-factor authentication.

And "Learn more about two-factor authentication." links to https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication with plenty of details for options to use. There is a heap of info there with options.

https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication

[KE5FX]

All I have done was create some HDL code to share and post it on a GitHub repository.  I just wanted to share some original code.

Do what I still do, just upload it to a static page somewhere.  We don't need no steeeeenkin' SSL or no steeeeeenkin' 2FA.

[ixfd64]

Hmm... my GitHub account is not linked to a phone number, and I haven't received such an email. I wonder if this is something that's being gradually rolled out to users.

[BrianHG]

The USB security key is just a simple USB device with a touch sensor.   It's the most secure option but requires special hardware.  It's not terribly expensive but it isn't free.

Are you saying I need to buy some hardware to access GitHub?
I'm beginning to like 'KE5FX's idea except I know I will never get any traffic with some blind web page out there.

[Shonky]

Are you saying I need to buy some hardware to access GitHub?
I'm beginning to like 'KE5FX's idea except I know I will never get any traffic with some blind web page out there.

No. You could use SMS or an authenticator app (mobile or Windows based) or the Github mobile app. You're well aware of this. Again you're just ignoring reality because you don't like it.

You want "traffic"? For what? You're happy to use the free service provided but not happy to use it as is?

If you create your own web page/server/whatever you can do what you want with it. That seems like your best option at this point.

[ejeffrey]

Are you saying I need to buy some hardware to access GitHub?

No you need a software or hardware second factor not both. 

It's really not that hard, it's clearly documented.  It's true the most common path involves using smartphone apps and if that's not an option for you you will have to look a bit closer.  Go read the Wikipedia article on TOTP or the GitHub documentation that is linked above.  All the answers are there and it shouldn't take you more than 10 minutes to set up and is available for essentially every platform in existence.

[Jeroen3]

Comparison of OTP applications

[EPAIII]

I looked up GitHub. QUOTE,

"GitHub, Inc. is a platform and cloud-based service for software development and version control using Git, allowing developers to store and manage their code."

So if you want to be a developer, you need to put your code, YOUR CREATION on a cloud based service where others can hack into it and steal it?

Welcome to the new world order!

Why can't a developer just store the code on their own computer until it is time to sell it? And then sell it any way they want? Oh, wait! Oh, wait, that would mean that others won't control it and profit from your work. Yep, I think I have it now.

Gotta run and answer that angry knocking at my door - in the middle of the night. I probably won't be back. Bye!

[RoGeorge]

The USB security key is just a simple USB device with a touch sensor.   It's the most secure option but requires special hardware.  It's not terribly expensive but it isn't free.

Are you saying I need to buy some hardware to access GitHub?
I'm beginning to like 'KE5FX's idea except I know I will never get any traffic with some blind web page out there.

Could self host your files, of course, but if you want some public repository hosting website (without mandatory 2FA), there is GitLab (not GitHub).  GitLab does about the same things as GitHub, it's free for individual users https://about.gitlab.com/pricing/ , and doesn't require 2FA.

Even more, once you'll login into your GitLab account, you can import your project(s) from GitHub into GitLab with a few clicks from the GitLab webpage.  Many users imported their repositories from GitHub to GitLab, and never looked back.  Some also deleted their code from GitHub, others left an unmaintained copy on GitHub, too.

You can try importing your projects into GitLab anyway, whether you get 2FA for GitHub or not, and see if you like it:
https://gitlab.com

[HwAoRrDk]

Hmm... my GitHub account is not linked to a phone number, and I haven't received such an email. I wonder if this is something that's being gradually rolled out to users.

Yes, GitHub are doing a staged roll-out of 2FA to all users throughout 2023.

[madires]

TOTP suggestions for linux users:
- otpclient (small and nifty TOTP tool)
- keepassxc (PW manager, TOTP hidden in the right-click-menu for entries)

[PlainName]

You're being completely inflexible just because you don't like something IMO.

Why does one have to like everything? I bet there is stuff you don't like and are happy to whine about given half a chance, and what is wrong with that? If you don't like something it's not a crime to say so, or feel that way.

[Shonky]

You're being completely inflexible just because you don't like something IMO.

Why does one have to like everything? I bet there is stuff you don't like and are happy to whine about given half a chance, and what is wrong with that? If you don't like something it's not a crime to say so, or feel that way.

Sure but don't just ignore the other options hence my comment about being inflexible. At first it was "I won't use SMS", then it was "I don't know what TOTP is but haven't tried to look", then it was "I have to pay for a hardware key to use Github?" (obviously paraphrased)

As has been offered if he doesn't like what Github want he's perfectly free to take his business elsewhere.

[bitwelder]

TOTP suggestions for linux users:
- otpclient (small and nifty TOTP tool)
- keepassxc (PW manager, TOTP hidden in the right-click-menu for entries)

I'd suggest also oathtool for command-line usage.

[bitwelder]

Password managers like Bitwarden can save the TOTP secret as well as have notes for the recovery keys.

Although, one should consider that this way is keeping all secrets in one basket: if the key to open the password manager is not strong enough or not kept safely enough, one would lose at the same time all the passwords AND all the TOTPs. So much for two-factors.

[Shonky]

Password managers like Bitwarden can save the TOTP secret as well as have notes for the recovery keys.

Although, one should consider that this way is keeping all secrets in one basket: if the key to open the password manager is not strong enough or not kept safely enough, one would lose at the same time all the passwords AND all the TOTPs. So much for two-factors.

Absolutely true it does somewhat make it no longer 2 factor.

You can add 2 factor authentication on unlocking the password store if you wish via email, TOTP and a couple of other methods.

[bingo600]

TOTP suggestions for linux users:
- otpclient (small and nifty TOTP tool)
- keepassxc (PW manager, TOTP hidden in the right-click-menu for entries)

THANX !! 

I just set github OTP w. keepassxc (linux mint)
I didn't even have to use the QR Code , just click on the "Skip" URL , and it'll show you the github TOTP Seed.

"Right click" on your keepassxc github entry, select TOTP , select Setup.
Paste the TOTP seed , let rest be default ... Done

github login
login as usual , user + pass
right click github entry in keepassxc , select TOTP , select Copy TOTP   (Or just hilight the github entry and press CTRL+T)
Paste it in github 2FA "Box"

Edit: You'll find the TOTP (2FA) stuff @github , under "profile -->password"

/Bingo

[PlainName]

right click github entry in keepassxc , select TOTP , select Copy TOTP   (Or just hilight the github entry and press CTRL+T)
Paste it in github 2FA "Box"

That's my problem with this stuff - it's a road bump (and not a small one). For most places I just go there and I'm in. If I had to manually log into everything every time I'd go mad with the amount of stuff that would involve, and most 2FA is exactly that kind of pissing about. (And you're stuffed if you're not at your PC because you cannot remember or otherwise access the 2FA key).

If we were talking about access to Microsoft's internals it would be fair enough, but it's our data and if someone nicks it or corrupts it it's our fault and our tears. Not theirs. I agree with the previously stated viewpoint that when it comes to our stuff it should be our choice. We are grown people who know the risks and can deal with them appropriately (and if we can't then it's our tough shit, that's all).

[abeyer]

Sometimes I read this forum and just shake my head in regret that I didn't take up haberdashery and buy an industrial scale supply of tin foil.

[Halcyon]

As others have said, 2FA is going to be unavoidable with most legitimate providers, and it really shouldn't be feared or resisted.

No, it should be optional.

Why?

It's there to protect you and your account. Cyber attacks are getting increasingly sophisticated and ultimately, people are lazy and use recycled, weak or compromised passwords all the time. Whilst you might use a strong password, doesn't mean that it can't be compromised in a data breach.

People should embrace multifactor authentication as it's here to stay. Its implementation is as difficult as you make it. For me, I use Bitwarden both on my PC and my phone, so I always have my TOTP codes with me, which is tied to my Yubikey that's always in my pocket (or nearby).

[PlainName]

It's there to protect you and your account.

Do you log into your PC? I don't mean do you have a password set up, but do you have to manually enter it every time you go to your PC? I recall that one upon a time at least one Linux distro enforced that, but even they succumbed to allowing auto logon.

Now we're in a highly connected world with IoT providers tunnelling on the LAN, how is that really different to the cloud? There's even more risk here since someone could just not hack and physically sit at the machine.

People should embrace multifactor authentication as it's here to stay

You'll change your mind when you have to do 2FA instead of swiping to access your phone

[madires]

Unfortunately, not everyone is grown up and is able to assess the risks. So someone tries to help (or force) those experts to follow best current practice. If a widely used library is affected you'll have a nice supply attack wreaking havoc.

[Halcyon]

It's there to protect you and your account.

Do you log into your PC? I don't mean do you have a password set up, but do you have to manually enter it every time you go to your PC? I recall that one upon a time at least one Linux distro enforced that, but even they succumbed to allowing auto logon.

Now we're in a highly connected world with IoT providers tunnelling on the LAN, how is that really different to the cloud? There's even more risk here since someone could just not hack and physically sit at the machine.

People should embrace multifactor authentication as it's here to stay

You'll change your mind when you have to do 2FA instead of swiping to access your phone

Yes, I login to my PC manually every time I sit down at the chair. It takes 2 seconds. Even when I'm switching between users, I enter the password each time.

As for TOTP codes, even on my phone Bitwarden automatically copies them to clipboard for me when I'm logging into a site/service that requires it. It's extremely simple to use and doesn't require swapping between applications.

[PlainName]

Bitwarden

Great that it works for you. It won't for me because it's online and doesn't support Windows 7. I have no desire to swap my open source existing solution for another more onerous open source solution, just as you no doubt wouldn't want to use some of the stuff that I would rave about.

[And TOTP is a paid option, and even self-hosting requires online license download. Fail to pay, no more bitwarden for you. No thanks - I want secure password store, not reliant on some paid cloud thing.]

[Halcyon]

Bitwarden

Great that it works for you. It won't for me because it's online and doesn't support Windows 7. I have no desire to swap my open source existing solution for another more onerous open source solution, just as you no doubt wouldn't want to use some of the stuff that I would rave about.

My point is, MFA doesn't have to be cumbersome. It's as cumbersome as you make it. I'm not suggesting everyone go out and use Bitwarden (which by the way can be used entirely offline), there are plenty of other solutions out there.

[PlainName]

Yes, there are other solutions. I am using one. But they are still a pain in the arse compared to not having to use them. It should be my choice, that's all.

[Shonky]

[And TOTP is a paid option

Nope, authenticator app is included in the free version

even self-hosting requires online license download. Fail to pay, no more bitwarden for you

Nope there is no license involved for vaultwarden. Nothing to pay if you self host vaultwarden

No thanks - I want secure password store, not reliant on some paid cloud thing.]

It is secure but you don't really care that much about security since you're still on Windows 7 yeah? Saying one solution is more onerous than another is entirely arbitrary particularly if you've clearly not even tried it.

[PlainName]

I can only go by what they try  to sell me.

[Shonky]

I can only go by what they try  to sell me.

Derp. Ok yes you can't store TOTP in Bitwarden for free unless you self host. I was wrong.

The 2 step login is only for unlocking.

[PlainName]

What in 'TOTP' doesn't mean 'TOTP'?

Well, whatever. I tried to work it out, even went into the manual which is where I found that a local server install (yuk, no thanks - standalone app is read only, so if your server goes...) still requires a license download. You will probably say it doesn't say that or says it in a different way to what it says. 

[Shonky]

You don't run their server. Don't know about the read only bit. You run vaultwarden which is bitwarden compatible and unlocks most of the premium features. You can backup the server no problem (files are all encrypted on disk). You also have encrypted copies on all of your devices that you sync with.

Anyway you're set with whatever you're using so good luck with that.

[bingo600]

Would this one do ??
https://freeotp.github.io/

/Bingo

[Shonky]

That should work fine. The actual concept is pretty simple. Take a key and store it securely and then mathematically generate a number based on that key and the current time.

So the main things you want to consider IMO:
- how securely the keys are stored on your phone/device - is it encrypted or protected itself?
- keeping backups somehow - some services may be hard to access if you lose your key(s). The services often have recovery codes or other methods for account recovery for this situation. You need to store them somewhere again preferably securely.

[m12lrpv]

And here I am because I just got the github email and was hoping for a bypass. It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password because all that in needed to take an account now is some social engineering to facilitate an esim swap in order to reset a password.

The zealots need to be forced to pay for phones for people to use for 2fa apps. That would end 2fa real quick. It certainly shuts them up at work when they want me to use my phone and I tell them they need to supply the phone because they're not allowed to use mine.

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

[Someone]

It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password

Better read it again, because Github are the good guys here and NOT forcing that (supporting multiple alternatives).

So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time

Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

[Shonky]

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

Congratulations on not understanding how 2FA works. Hint: it's the "2".

[m12lrpv]

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

Incorrect. Github Only allows one of each type. Don't preach about things you don't understand.

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

Congratulations on not understanding how 2FA works. Hint: it's the "2".

Every 2fa is basically 1fa. You're just one password reset request away from full access once that 2fa key is exposed. Congratulations on not understanding the reality of 2fa.

[m12lrpv]

It was an interesting thread read especially from the zealots of 2fa who constantly ignore the fact that in almost every implemented instance 2fa reduces security below that of a password

Better read it again, because Github are the good guys here and NOT forcing that (supporting multiple alternatives).

The percentage of people using the actually secure instances (like yubikeys)  is so small as to make my statement correct. If github start supplying free yubikeys then I will consider that they're making things more secure. SMS, and apps are less secure than a password known only to one person and never written anywhere

So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time

Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

That is not true. How do I go to a random computer and log into github? I either have to have an authentication app on my phone or it's number registered for sms, A physical key i'm carrying with me. The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.

Github 2fa options are one each of Authenticator app, sms, security key, github mobile. You cannot have 3 different authenticator apps registered with github for different devices of the same type. Like say my work computer and 2 of my home computers. It's disingenuous to claim github support multiple devices.

[Someone]

The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.

So you want a solution for two factor without adding anything? Have fun with that.

All the synthetic constraints you choose to add (not installing any software on any device, or having a hardware token) are the problem here, not Github.

So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time

Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.

That is not true. How do I go to a random computer and log into github?

By bringing your choice of second factor along, it can be as (in)secure as you like. One solution is you just remember the secret TOPT setup key, just as you would for a password, or write it down. There are RFC 6238 implementations that do not require install (and some even run in a browser if you really want to avoid "apps") and you can bring the key to them as/when you want.

SMS, and apps are less secure than a password known only to one person and never written anywhere

two factor, the second factor only adds to the security of the password, it does not subtract from it. You still provide a password. Just to double check I signed out of Github and when signing back in on the same computer/browser/session it asked for a username and both the password and 2fa.

Your cries of doom (without explaining the arbitrary constraints that led you to them) are the sort of mis-information around 2fa which needs to be stomped out. Github are one of the best examples out there and providing excellent options for people to get on board with 2fa

[Shonky]

The big issue though is that github is often accessed from multiple devices but they only allow the single registration of an authentication app. So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time or a secret string token that you carry written down all the time so you can register other authenticator applications

No. That's not how it works at all. You can quite easily have the 2FA secret on multiple devices and it will produce the same number.

Incorrect. Github Only allows one of each type. Don't preach about things you don't understand.

Thanks Github. Now my account is less secure because I have a something I need to write down or save on a file system rather than a password that only existed in my head an no one else knew.

Congratulations on not understanding how 2FA works. Hint: it's the "2".

Every 2fa is basically 1fa. You're just one password reset request away from full access once that 2fa key is exposed. Congratulations on not understanding the reality of 2fa.

Absolutely you can have the TOTP running on more than one device. Try and understand how TOTP works.

Nope. That's not how the Github password reset works. You need access to email to reset the password which is a third factor. Get it?

[julian1]

Does Gitlab try to monetarize (or carve-out a future right to) their customer's content with AI engines, like co-pilot?

[Noloader]

I received an email warning me I will loose access to my GitHub account unless I enable 2FA....

Now I do not want to give them my private cell phone number to receive the SMS...

I use KDE's KeySmith, <https://apps.kde.org/keysmith/>. It works just fine for M$ 2FA. In fact, I have KeySmith running on two laptops and a desktop. There's no need to run it from a cell phone.

I did not have to install M$ warez, like a closed source app. I did not provide M$ with any personal information, like my cell phone number.

[Karel]

Keysmith works ok, I just installed it in order to be able to continue to access pypi.org:

https://blog.pypi.org/posts/2023-12-13-2fa-enforcement/

Regarding github, I didn't register a phone number but they sent me verification codes to the email address I used for registering in order access.
But I moved to Gitlab anyway years ago already when microsoft put her claws on it. I only login on github if I want to report an issue in somebody else's repo.

[SiliconWizard]

But I moved to Gitlab anyway years ago already when microsoft put her claws on it. I only login on github if I want to report an issue in somebody else's repo.

Yes. Gitlab has a more "aggressive" approach to sales though, as far as I've seen. The free accounts are much more limited than github's ones (which have very few limitations in comparison). That's ok for personal projects usually, but from the limits I've seen, for anything more serious with many contributors, you'd need a paid plan. Not that it's overly expensive, but something to consider. Of course, we know how MS gets its money from, nothing is free.

But as a user (i have no account at Gitlab), you may have some details about that to add.

[magic]

Is there anything in the ToS against putting up your TOTP "secret" in a public repo on GitHub itself?

This gives you access to your "second factor" everywhere you have access to GH, so problem solved and back to square one, right?

[magic]

I only login on github if I want to report an issue in somebody else's repo.

Usually you can do it by email.
If no address is published on their website, look at the git (which you probably already have downloaded anyway at this point).