I'm not best pleased that github is going to enforce me to use 2FA in the next month or two.
Security through trusted third parties is attractive but danger is lurking within that model.
Anyway, has anyone decided to do anything other than the obvious "authenticator app on the phone"? Because I'm pretty wary of it.
They support security hardware keys. Bitwarden also supports TOTP for 2FA.
I had 2FA on phone long before they enforced it. US government already has acces to ,y stuff since it's Microsoft. So don't care about NSA backdoor in the 2FA app.
Fwiw 2FA* saved my ass once, many years ago, when someone hijacked my domain**, set an email forward and reset the Github password.
* = and the hackers lazyness, they could have done way more damage
** = where I forgot to set 2FA AND probably reused a password, despite having stopped reusing passwords years before the hack - forgot to change that one
I noticed and cut them off in a matter of hours. I guess they were Russian or Chinese working office hours and just stopped for the day.
The real threat is sim-swap attacks. I imagine the FBI can just request access to your github account with or without the 2FA.
Yeah I don't use sms 2fa when I can avoid it.
Yeah I'm less concerned about the NSA type threat (if they want to "do" my github account I'm sure they can), more the "uh oh because of a bug in the auth protocol or the auth app, hackers can take over accounts" or something like that.
I mean, it is *2* FA, not 1 FA, so in theory it's not that simple, I'm just thinking in very vague terms about "central points of failure" and also "complexity is the enemy of security" (people end up often looking for shortcuts if you make security policies really burdensome).
Maybe yes. Though I think on Github you don't reach the 2FA step before either passing the password check or resetting the password.
In deed. Those shortcuts include storing your password and 2FA TOTP in the same place. Ideally you shouldnât but I think the real benefit of 2FA is to prevent account compromise due to password reuse.
You can probably get something that pulls the QR code into a otp string and store that somewhere.
The format is usually like this:
otpauth://totp/your%40email.com?issuer=SomeService&secret=YOURSECRETTOKEN
Then you can pop that into most password managers and Authenticator apps. This way you donât have to rely on an Auth app solely.
Yep, good suggestion, the github setup page has the token copyable.
I decided to buy 2 yubikeys last year, very much recommend
Aegis on Linux?
Works on Android AFAIK. Handy for converting an old phone or tabket to a dedicated off line 2FA device.
Why don't you like yubikey? I've got several registered to my GitHub account so none are a single point of failure.
YubiKeys are great and more people should use them - also great to use as a PGP âsmart cardâ, way way better than having a hot key on a work computer
But a free-er open-sourcer competitor would be amazing, Yubico a bit Ledger-like for my taste
(Also also you can use a Ledger like a YubiKey which is handy as a backup)
Is a passkey out of question?
The âthird partyâ doesnât have access to your password and they canât gain access to your account with just the 2FA! If for some reason you donât like yubikeys, there are several open source U2F devices you can also use on https://www.crowdsupply.com/.
2FA beyond email verification on login ?
Bitwarden. Cross platform, self hosted or cloud.
why are you wary of totp 2fa apps?
Maybe this on linux?
"Use oathtool Linux command line for 2 step verification (2FA)" https://www.cyberciti.biz/faq/use-oathtool-linux-command-line-for-2-step-verification-2fa/
