I had 2FA on phone long before they enforced it. US government already has acces to ,y stuff since it's Microsoft. So don't care about NSA backdoor in the 2FA app.
Discussion
Fwiw 2FA* saved my ass once, many years ago, when someone hijacked my domain**, set an email forward and reset the Github password.
* = and the hackers lazyness, they could have done way more damage
** = where I forgot to set 2FA AND probably reused a password, despite having stopped reusing passwords years before the hack - forgot to change that one
I noticed and cut them off in a matter of hours. I guess they were Russian or Chinese working office hours and just stopped for the day.
The real threat is sim-swap attacks. I imagine the FBI can just request access to your github account with or without the 2FA.
Yeah I don't use sms 2fa when I can avoid it.
Yeah I'm less concerned about the NSA type threat (if they want to "do" my github account I'm sure they can), more the "uh oh because of a bug in the auth protocol or the auth app, hackers can take over accounts" or something like that.
I mean, it is *2* FA, not 1 FA, so in theory it's not that simple, I'm just thinking in very vague terms about "central points of failure" and also "complexity is the enemy of security" (people end up often looking for shortcuts if you make security policies really burdensome).
Maybe yes. Though I think on Github you don't reach the 2FA step before either passing the password check or resetting the password.
In deed. Those shortcuts include storing your password and 2FA TOTP in the same place. Ideally you shouldn’t but I think the real benefit of 2FA is to prevent account compromise due to password reuse.