2FA/MFA became so annoying I’m now meaning to get an android emulator running just to get these passcodes. I’m sick of having to grab my phone, unlock it, open some app or wait for a text, rush to type it in before it resets etc. Such a huge pain in the ass.
It took me a little while to get used to remembering my Yubikey, but that’s been pretty great for me. I have one that’s USB-C on one end and Apple Lightning on the other. Also, if I’d switch to a Chromium-based browser, I could use the Mac’s Touch ID for 2FA (Firefox on Mac doesn’t support it, though).
Disclosure: GitHub employee, but not involved with this security effort.
On Windows, you can use a TPM and on iOS / Android you can use their credential manager (which is secure on iOS and may or may not be secure on Android depending on how much of a cheapskate the handset manufacturer was). GitHub has done a fantastic job on making this usable. I haven’t used a password with GitHub for a few years for anything other than adding a new device.
Disclosure: Microsoft employee, but not working directly with GitHub on anything, just a very happy user (of everything except their complete misunderstanding of the principles of least privilege and intentionality in their application of the Zero Trust buzzword).
Store TOTP secret somewhere (I have it in Bitwarden, it allows me to also generate tokens directly through official clients) and run it through oauthtool to generate singe use token. On my setup I can generate & paste a token with ydotool with a single key stroke.
2FA on GitHub rarely shows up; I do have it enabled, and I pretty much don’t need to enter a second factor through daily usage. It’s the same as 2FA with Google, which is rarely needed through daily usage. It’s pretty much for sensitive operational changes to accounts (repos in this case I guess), logging in from new devices, or from a device that hasn’t been used in a while. Other platforms are a bit more annoying, for sure, but I feel GitHub gets the balance right in this regard. I’m actually surprised they’re making it almost 1.5 years away of enforcing though… that seems a bit too long IMO.
My OnlyKey covers FIDO2 and TOTP inputs with easy. It came with a keychain so it stays right next to my home key and my motorbike key so it’s hard to forget about it.
Passsword Store on syncing between Linux and Android has worked well aditionally and the OTP plugin covers that aspect as well.
I have a template Perl script I use for TOTP. I copy it over and put in the new key, and run it from the shell to get a TOTP code. I try very hard not to let them use my phone for this.
2FA/MFA became so annoying I’m now meaning to get an android emulator running just to get these passcodes. I’m sick of having to grab my phone, unlock it, open some app or wait for a text, rush to type it in before it resets etc. Such a huge pain in the ass.
1Password includes TOTP for mimicking 2FA. Bitwarden does as well, but it’s a bit clunkier.
It’s not really “mimicking” — it’s a TOTP app generating codes the same way as any other TOTP app.
It’s mimicking that there is a second factor, which often times implies a second, isolated piece of hardware
KeepassXC, a non-subscription-based open source password manager, supports TOTP too.
It took me a little while to get used to remembering my Yubikey, but that’s been pretty great for me. I have one that’s USB-C on one end and Apple Lightning on the other. Also, if I’d switch to a Chromium-based browser, I could use the Mac’s Touch ID for 2FA (Firefox on Mac doesn’t support it, though).
Disclosure: GitHub employee, but not involved with this security effort.
On Windows, you can use a TPM and on iOS / Android you can use their credential manager (which is secure on iOS and may or may not be secure on Android depending on how much of a cheapskate the handset manufacturer was). GitHub has done a fantastic job on making this usable. I haven’t used a password with GitHub for a few years for anything other than adding a new device.
Disclosure: Microsoft employee, but not working directly with GitHub on anything, just a very happy user (of everything except their complete misunderstanding of the principles of least privilege and intentionality in their application of the Zero Trust buzzword).
keepassxc allows storing 2FA tokens
you can use oathtool to generate them directly
Buy a USB-A U2F key and leave it permanently plugged into the computer
Store TOTP secret somewhere (I have it in Bitwarden, it allows me to also generate tokens directly through official clients) and run it through
oauthtoolto generate singe use token. On my setup I can generate & paste a token withydotoolwith a single key stroke.2FA on GitHub rarely shows up; I do have it enabled, and I pretty much don’t need to enter a second factor through daily usage. It’s the same as 2FA with Google, which is rarely needed through daily usage. It’s pretty much for sensitive operational changes to accounts (repos in this case I guess), logging in from new devices, or from a device that hasn’t been used in a while. Other platforms are a bit more annoying, for sure, but I feel GitHub gets the balance right in this regard. I’m actually surprised they’re making it almost 1.5 years away of enforcing though… that seems a bit too long IMO.
My OnlyKey covers FIDO2 and TOTP inputs with easy. It came with a keychain so it stays right next to my home key and my motorbike key so it’s hard to forget about it.
Passsword Store on syncing between Linux and Android has worked well aditionally and the OTP plugin covers that aspect as well.
I have a template Perl script I use for TOTP. I copy it over and put in the new key, and run it from the shell to get a TOTP code. I try very hard not to let them use my phone for this.
Why though?
If I lose my phone, I’m potentially screwed, depending on what recovery mechanisms there are. But I can back up a Perl script and store it securely.
you can back-up the QR code from the TOTP app too. Also github gives you backup codes to print out.
Could we get a better first factor before we start with annoying users with a second factor?
Shout-out to Bitwarden, which is amazing, supports 2FA, and is self-hostable (but I pay them to support small devs)
If this change worries you, check it out. Because of Bitwarden, my reaction was “meh, sure, whatever”
Good thing I’ve got Numberstation for my PinePhone then (just migrated off Authy on Android).