1y ago

How is everyone handling the 2FA requirement for GitHub?

docs.github.com

Configuring two-factor authentication - GitHub Docs

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

126 comments

It's fine. The added security is huge
The problem is when they want you to install their TOTP app in order to authenticate (I'm looking at you, steam... fuck off)
- I think I'd still prefer to use a 3rd-Party TOTP app but at least Steam's app adds some value by pushing a notification when you login.
  
  Steam is okay in my book because steam was the OG 2FA provider. They forced 2FA on everyone, all the way back in 2007, they took security seriously before anyone else really cared. So, they're grandfathered in.
  
  You can use Steam with a regular third-party TOTP authenticator, here's a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
  
  I hate that. I think it’s lazy af.
- Exactly. At the end of the day there’s nothing being transmitted with OTP and using a standard app isn’t an issue.
- If you're rooted, Aegis can import the seed from the Steam app then you don't need it anymore.
  
  Oh, that's awesome!
  But I don't have root
  
  You don't even need root. https://help.ente.io/auth/migration-guides/steam/
- Or like eBay
- How's that? I've had TOTP in my github account for over a year, on Aegis, and I have not seen them asking me to do anything else.
  
  GitHub is not an offender right now, but I can easily imagine Microsoft forcing some MS OTP app in the future
- I do agree but Steam's app isn't bad. It's great if you use Steam's social features and it makes secure login a total breeze.
  
  It's not that the app is good or bad. It's that you are FORCED to use it when there is no technical reason for that requirement.
  Let me reiterate: fuck valve
- You can use it with a regular TOTP app, just like with Steam (but it requires some additional setup: https://help.ente.io/auth/migration-guides/steam/)
SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you're issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.
And this isn't just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn't trust.
- Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias (SimpleLogin) for every single account! 😆
  
  same, a simple habit that is secure, I use it always with maximum privacy. One day you will be in a rush, under stress, affected by age, and use your old habits with a valuable asset...
- SMS 2FA is still better than no 2FA.
  
  Not if the org uses SMS auth as a recover method for your "lost" password
  Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.
  I generally don't let my team enter phone numbers into their account data.
  
  But it should be the last resort. It makes sense why it's being phased out
- This, but my random, account-specific 20 char passwords are not online and available.
If you're not already using 2fa everywhere you can, you're already doing it wrong.
- 2FA is for people who don't know how to use randomized passwords for every site
  
  Brilliant. Until that website's unsalted pw database is downloaded through a SQL injection.
  Use both. You're not smarter than security professionals.
  
  The day your machine is compromised is also the day ALL your passwords get stolen.
- 2FA is annoying and not necessary for most things.
  
  Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s
  
  All security is annoying. Oh well.
You can try aegis if you're on Android, open source, local, great
- Also OTPclient on desktop, it can work directly with an Aegis encrypted export file. You enter the decrypt password when you open the app and it can auto-lock after a specified interval.
  
  Is there something similar for windows? I check the github page & there doesn't seem to be a package for windows. I could try to compile it from source but that a lot of libraries I have to get...
- Aegis looks great - I'll give this a shot. Thanks for the recommendation!
  
  Happy to help
What's wrong with using a Foss TOTP app?
- Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn't need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.
I just use Bitwarden's 2FA functionality.
- This is premium functionality, for those who don't know.
  
  They have a free application too:
  https://play.google.com/store/apps/details?id=com.bitwarden.authenticator
  
  And I heard that if you self host you can use the premium features for free
  
  Worth the price for Bitwarden's good practices imo, now if I could export all of my authy keys...
  I know it's possible, but Authy has made it a PITA.... fuck authy.
Aegis
Yubikey, but thats just a personal preference. A password manager works just as well.
- The problem with Yubikey is that it doesn't have a good enough management story for broad use. I do use it for a few core sites (like GitHub) but if I lose a key I need to get a replacement and register that replacement with every site I have set up U2F 2FA on. This is ok with a few core accounts but doesn't scale to the hundreds of sites that I have an account with. I am sure to miss a few and then either I can't log in with the new key or get completely locked out when I lose that key and get a second replacement.
I use keepassxc to generate the code.
- Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file
I already use pass ("the unix password manager") and there's a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otp
Worth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let's me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.
- Your two factors shift to possession of your password vault + knowledge of the password to it. You're okay IMO.
  You also still get the anti-replay benefits of the OTPs, though that might be a bit moot with TLS everywhere.
  
  You're right, I should have been more specific.
  If you're already storing your password using pass, you aren't getting 3 factors with pass-otp unless you store the otp generation into a separate store.
  For services like GitHub that mandate using an otp, it's convenient without being an effective loss of 2fa to store everything together.
It's fine. I moved to gitlab years ago for 2fa, so while this doesn't affect me I would be entirely ok with normal 2fa.
It is normal, right? Not a weird Microsoft 2fa requiring their app?
- Yes you can use any app, it's standard TOTP.
- Yes, normal TOTP
Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.
But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.
- Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other "valuable" open source projects. To pretend nothing of value is built there is putting your head in the sand.
  If you're developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.
  
  SFC recommends to not use them, so that's what I will keep (not) doing.
  
  Not /s
  It is long past the time to move on. We don’t like the ads, gamified/corporate-friendly social media aspects, & enshitification of the web (which is why we are an Lemmy not Reddit), so why would we want that same platform for our code?
  Also Lemmy has every interest in moving as soon as ForgeFed is finalized & merged into a forge the can host since they want the same decentralized values for their forge as their forum/link aggregator platform and have publicly acknowledged it is a problem.
  Your projects should follow that example, if not your current projects at least future ones. These megacorporation are not our friends.
I don’t love the idea of having an authenticator app installed on my phone
For anything? Why not? Surely you don't believe SMS-based TOTP is safer, right?
- Wut. TOTP doesn't involve sending an OTP. That's the point.
  "SMS-based TOTP" is a nonsensical phrase
  
  "Time-based One-Time Password" literally says nothing about the delivery method. Who said it can't involve remote sending?
  And what would you call it, then, SOTP?
  Anyway, regardless of the terminology-nitpicking, my point still stands.
Its more secure and ssh keys are more convenient anyways
I just use my password manager to generate the TOTP. There's no way I'm going to install an app just to use a website.
This hate for 2FA is bizarre to me. Sure, it's not as convenient but in this day and age, with all the threats out there, there's no real excuse for not using it.
I generate a TOTP with my password manager, it stores all my other login details and keeps it simple.
- That seems like it defeats the "2" part of 2FA. If your password manager is compromised the attackers now how complete access.
  
  Technically true.
  You are right, having the password in the same vault does mean that if the vault itself is compromised they have both. Guess I could move the TOTP to a separate authenticator app but the only other apps I have a mobile only and there are times I need to login without having hands on my phone.
  I guess the time based aspect of the TOTP makes it a little more resistant to having someone monitor my keystrokes or clipboard or whatever and capture a relatively long lived secret like my password. So I guess its a comprise I'm willing to make.
  
  That's minimal to me. I chose 1password for this exact reason, read all of their technical docs.
  1password uses encryption with a 2-part key, your password and your "Secret key" which is essentially a salt. Combining those two, they encrypt your entire storage blob and store it. They're very clear that there is no backdoor, there it is encrypted using your keys, and they do not store those keys anywhere - and that if you lose your keys you're out. There are zero recovery options. Which I love. (Which means I do not recommend it to non tech folks who will probably lose one of these keys)
  So the secret key is similar to a guid, can have that written down somewhere, and your password should never be written down anywhere, and be completely unique. Doing those two things, I feel confident that keeping my 2FA in my most secure area is safe. There is minimal chance that someone is able to log in remotely to my 1password, even if they got my key, my password isn't written down.
  The convenience of this is x1000, while the risk to me is negligible. It's why when I worked in fintech it was the manager of choice, and I recommend it for secrets in kubernetes. Until they prove me wrong, security is truly number one with them.
  
  If you only need one factor to log into your password manager, you’re doing it wrong.
https://sfconservancy.org/GiveUpGitHub/
I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don't get all my private stuff.
- Works great till somebody does a sim swap on you.
  
  How? It's physically at home.
- That's exactly what I'm planning to do, a phone that forwards all sms messages through ntfy (or other service like signal) to me.
  
  @chevy9294 @thingsiplay
  On android you can use https://f-droid.org/en/packages/org.projectmaxs.module.smsnotify/ - forwards incoming sms to XMPP
pass otp. Works, more secure then SMS, open source.
Codeberg, or failing that, GitLab, or BitBucket. Allowing MS to control all FLOSS software, means they might probably secretly get consent to use your code for copilot training without respecting licences. I have no idea if this happens, or might in the future, as I ain't reading the terms of service for something I do not use, however, I have little trust for them enough for air on the side of caution.
- I'm gonna keep putting all of my code on github, then. Doing my part to make copilot crash and burn.
- I forgot about Codeberg - I'll look into that and Gitlab as alternatives. Thanks for the suggestions.
iCloud Keychain. Has the ability to store 2FA codes and pull them up automatically. GitHub also supports passkeys so most times I just log in with my biometrics or user pass and don’t have to worry about the added layer.
I’m fine with regular 2FA. What I can’t abide is having to use proprietary apps, like Blizzard’s battle net. Steam too.
Passkeys are the future but still a ways off.
Wild tho that you don’t have any other accounts needing 2FA? That’s scary to me as that added security goes a long ass way in regards to hardening your secuity.
2FAS is open source and doesn't have a cloud presence to store data. You can use it to add 2FA to your other services as well.
last time I signed into my Microsoft 365 account for work I got two separate 2fa prompts and two captchas, it was like being in an episode of the crystal maze. the mere act of signing into something is now tedious and difficult
I deleted my github account because fuck microsoft. Open source should not be hosted on their servers.
In regards to forced 2fa, as I don't need it on my projects, there would be literally nothing lost if somebody gets into my account.
Just for the convenience I moved them to my selfhosted forgejo and mirroring to sr.ht as a backup.
ITT: People who think they know better than security researchers
Contributing to github is contributing to Microsoft's AI poison which can steal your code from you regardless of license for another project that might use an incompatible license. To hell with github.
@StorageB If you prefer command line tools for this, I recommend oathtool. https://www.nongnu.org/oath-toolkit/oathtool.1.html
- This looks pretty good. Will look into this option for sure. Thanks for the suggestion!

126 comments