Open Source @lemmy.ml StorageB @lemmy.one 6 mo. ago

How is everyone handling the 2FA requirement for GitHub?

docs.github.com Configuring two-factor authentication - GitHub Docs

You can choose among multiple options to add a second source of authentication to your account.

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

126

126 comments

It's fine. The added security is huge

The problem is when they want you to install their TOTP app in order to authenticate (I'm looking at you, steam... fuck off)
SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you're issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.

And this isn't just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn't trust.
If you're not already using 2fa everywhere you can, you're already doing it wrong.
You can try aegis if you're on Android, open source, local, great
What's wrong with using a Foss TOTP app?
I just use Bitwarden's 2FA functionality.
Aegis
Yubikey, but thats just a personal preference. A password manager works just as well.
I use keepassxc to generate the code.
I already use pass ("the unix password manager") and there's a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otp

Worth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let's me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.
It's fine. I moved to gitlab years ago for 2fa, so while this doesn't affect me I would be entirely ok with normal 2fa.

It is normal, right? Not a weird Microsoft 2fa requiring their app?
I don’t love the idea of having an authenticator app installed on my phone

For anything? Why not? Surely you don't believe SMS-based TOTP is safer, right?
Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.

But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.
Its more secure and ssh keys are more convenient anyways
This hate for 2FA is bizarre to me. Sure, it's not as convenient but in this day and age, with all the threats out there, there's no real excuse for not using it.
https://sfconservancy.org/GiveUpGitHub/
I generate a TOTP with my password manager, it stores all my other login details and keeps it simple.
I just use my password manager to generate the TOTP. There's no way I'm going to install an app just to use a website.
pass otp. Works, more secure then SMS, open source.
Codeberg, or failing that, GitLab, or BitBucket. Allowing MS to control all FLOSS software, means they might probably secretly get consent to use your code for copilot training without respecting licences. I have no idea if this happens, or might in the future, as I ain't reading the terms of service for something I do not use, however, I have little trust for them enough for air on the side of caution.
I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don't get all my private stuff.
I deleted my github account because fuck microsoft. Open source should not be hosted on their servers.

In regards to forced 2fa, as I don't need it on my projects, there would be literally nothing lost if somebody gets into my account.

Just for the convenience I moved them to my selfhosted forgejo and mirroring to sr.ht as a backup.
last time I signed into my Microsoft 365 account for work I got two separate 2fa prompts and two captchas, it was like being in an episode of the crystal maze. the mere act of signing into something is now tedious and difficult
iCloud Keychain. Has the ability to store 2FA codes and pull them up automatically. GitHub also supports passkeys so most times I just log in with my biometrics or user pass and don’t have to worry about the added layer.

I’m fine with regular 2FA. What I can’t abide is having to use proprietary apps, like Blizzard’s battle net. Steam too.

Passkeys are the future but still a ways off.

Wild tho that you don’t have any other accounts needing 2FA? That’s scary to me as that added security goes a long ass way in regards to hardening your secuity.
2FAS is open source and doesn't have a cloud presence to store data. You can use it to add 2FA to your other services as well.
ITT: People who think they know better than security researchers
Contributing to github is contributing to Microsoft's AI poison which can steal your code from you regardless of license for another project that might use an incompatible license. To hell with github.
@StorageB If you prefer command line tools for this, I recommend oathtool. https://www.nongnu.org/oath-toolkit/oathtool.1.html

You've viewed 126 comments.