Configuring two-factor authentication - GitHub Docs
docs.github.com
You can choose among multiple options to add a second source of authentication to your account.

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…

  • Scrubbles@poptalk.scrubbles.techEnglish
    68·
    9 months ago

    SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you’re issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.

    And this isn’t just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn’t trust.

    • peregus@lemmy.world
      12·
      9 months ago

      Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias (SimpleLogin) for every single account! 😆

      • nrbray@lemmy.ml
        5·
        9 months ago

        same, a simple habit that is secure, I use it always with maximum privacy. One day you will be in a rush, under stress, affected by age, and use your old habits with a valuable asset…

      • delirious_owl@discuss.online
        4·
        9 months ago

        Not if the org uses SMS auth as a recover method for your “lost” password

        Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.

        I generally don’t let my team enter phone numbers into their account data.

        • lemmyvore@feddit.nlEnglish
          2·
          9 months ago

          Well we could be using passkeys right now if Big Tech weren’t trying to tie them to their own platforms! 🤷

    • ssm@lemmy.sdf.org
      39·
      9 months ago

      2FA is for people who don’t know how to use randomized passwords for every site

      • Reddfugee42@lemmy.world
        5·
        9 months ago

        Brilliant. Until that website’s unsalted pw database is downloaded through a SQL injection.

        Use both. You’re not smarter than security professionals.

        • kevincox@lemmy.mlM
          21·
          9 months ago
          1. Salt doesn’t matter if your password is unique.
          2. If they can download data via SQL injection having them log in probably doesn’t matter that much.
          3. If they can dump your password/hash they can likely also dump the TOTP secret.
          4. A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.

          So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.

          So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.

      • Miaou@jlai.lu
        3·
        9 months ago

        The day your machine is compromised is also the day ALL your passwords get stolen.

      • delirious_owl@discuss.online
        152·
        9 months ago

        Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s

        • Zeroxxx@lemmy.id
          34·
          9 months ago

          Even in my bank’s ATM there’s only one password, not 2FA. 2FA is 2 factor auth, there’s no 2FA in the ATMs.

          It doesn’t mean the initial password isn’t a layer of authentication, but strictly speaking where I live all ATMs do not employ 2FA.

    • kevincox@lemmy.mlM
      3·
      9 months ago

      Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn’t need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.

    • lemmyvore@feddit.nlEnglish
      4·
      9 months ago

      Also OTPclient on desktop, it can work directly with an Aegis encrypted export file. You enter the decrypt password when you open the app and it can auto-lock after a specified interval.

      • Kess8a@lemy.lolEnglish
        2·
        9 months ago

        Is there something similar for windows? I check the github page & there doesn’t seem to be a package for windows. I could try to compile it from source but that a lot of libraries I have to get…

        • lemmyvore@feddit.nlEnglish
          3·
          9 months ago

          If you’re willing to work with unencrypted exports I think tauthy can import unencrypted Aegis JSON format.

          Also, what Aegis exports as “text format” is a standard format of sorts that consists in lines of otpauth:// URLs. There are lots of apps that can import that format, but please note that you lose some extra information from Aegis when you export in that format. Shouldn’t be a problem if you just want to be able to generate codes on desktop.

    • StorageB@lemmy.oneOPEnglish
      1·
      9 months ago

      Aegis looks great - I’ll give this a shot. Thanks for the recommendation!

    • kevincox@lemmy.mlM
      1·
      9 months ago

      The problem with Yubikey is that it doesn’t have a good enough management story for broad use. I do use it for a few core sites (like GitHub) but if I lose a key I need to get a replacement and register that replacement with every site I have set up U2F 2FA on. This is ok with a few core accounts but doesn’t scale to the hundreds of sites that I have an account with. I am sure to miss a few and then either I can’t log in with the new key or get completely locked out when I lose that key and get a second replacement.

    • Tibi@discuss.tchncs.de
      5·
      9 months ago

      Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file

  • toastal@lemmy.ml
    122·
    9 months ago

    Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.

    But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.

  • Jayjader@jlai.lu
    10·
    9 months ago

    I already use pass (“the unix password manager”) and there’s a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otp

    Worth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let’s me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.

  • Billegh@lemmy.world
    9·
    9 months ago

    It’s fine. I moved to gitlab years ago for 2fa, so while this doesn’t affect me I would be entirely ok with normal 2fa.

    It is normal, right? Not a weird Microsoft 2fa requiring their app?

  • Dymonika@beehaw.org
    9·
    9 months ago

    I don’t love the idea of having an authenticator app installed on my phone

    For anything? Why not? Surely you don’t believe SMS-based TOTP is safer, right?

  • cmnybo@discuss.tchncs.deEnglish
    82·
    9 months ago

    I just use my password manager to generate the TOTP. There’s no way I’m going to install an app just to use a website.