-
Select Topic AreaQuestion BodyI understand GitHub wants to require 2FA soon and in principle I think this is a good thing. However, for various reasons, I cannot use SMS or Authenticator 2FA. I understand WebAuthn is available, but only as a fallback. Is it possible to use WebAuthn as the main 2FA method? If not, why? Services like Twitter and others seem to allow this. I have a bunch of security keys here that I could use (and I always enroll at least 2 for backup), but not a mobile device. I found https://github.com/orgs/community/discussions/23490, but it's almost 5 years old, I'm wondering if anything changed here? I appreciate any help, as once this is required, I'd have to migrate projects elsewhere otherwise. |
Beta Was this translation helpful? Give feedback.
Replies: 17 comments 54 replies
-
Hi there! I understand that you're looking for alternative options for 2FA on GitHub, since you cannot use SMS or Authenticator 2FA. I'm happy to help you explore some possible solutions. It's true that GitHub currently does not offer WebAuthn as the main 2FA method, but it is available as a fallback option. However, you can still use your security keys for 2FA on GitHub. In fact, security keys are a recommended 2FA method by GitHub. To set up security key 2FA on GitHub, you can follow these steps:
Once you've set up security key 2FA, you can use your security keys to log in to GitHub without the need for a mobile device. I hope this helps you find a solution that works for you! Let me know if you have any further questions or if there's anything else I can assist you with. |
Beta Was this translation helpful? Give feedback.
-
You don't need a mobile device. The "authenticator app" can be anything that supports TOTP according to RFC 6238. There are various desktop applications that do, for example KeePassXC (that's what Mozilla recommended for people who can't or don't want to use a mobile device when they started to require 2FA for add-on devs), and libraries for various languages in case you want to make your own. When using a password manager that can store both your password and do TOTP, mind that having both in the same system reduces the security gain, though under most circumstances it's still better than only a password. Consider the security/convenience balance for yourself. |
Beta Was this translation helpful? Give feedback.
-
GitHub did say in a blog post that they were working on making it possible to use security keys as the primary second factor, so if I'm right, this option will be available soon.
Passkey support might also be interesting to you.
|
Beta Was this translation helpful? Give feedback.
-
It's not a good thing and 2FA isn't even particularly good for security, nor privacy. Just force us to password reset every 45 days and if we login from a different IP address, make sure confirm in the email. Better alternative: Let us handle our own security. So now I either have to buy a cell phone and pay for a monthly fee, or I have to install yet-more-software that I don't want on my computer. Fantastic. And for a website I don't have to use much. On the plus side, this would be a great point of concern to bring up getting away from github with my university. So, thanks for that if it works and I wish you well. |
Beta Was this translation helpful? Give feedback.
-
Yep. Seems really backwards. They would rather have you use SMS as a fallback rather than letting you use security keys through WebAuthn. Considering TOTP can be and was phished during highly public hacks of a certain security provider last year, I would think the priority is to let us use WebAuthn first, then enforce 2FA, and also get rid of the SMS option. |
Beta Was this translation helpful? Give feedback.
-
I also had an issue with GitHub's 2FA seeming to require a mobile device. On Linux there is an open-source application called Authenticator, which I found today and used successfully to generate TOTPs (time-based one-time passwords) for two-factor authentication. Note that in some aspects it may not be considered as secure as using another device, but at least it does not compromise your privacy. Authenticator: A Simple Open-Source App to Replace Authy on Linux |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
I am surprised, no one is questioning the introduction of 2FA in general? |
Beta Was this translation helpful? Give feedback.
-
Wouldn't it be possible to, in the future, allow email 2FA as an option? Where if I try to log in, I receive the email containing single-use code. No need for phones, apps or security keys. |
Beta Was this translation helpful? Give feedback.
-
Great job Microsoft! You DoS'd my account with your piss-poor planning. I don't have a personal cell phone. I hate those god damn things. And I hate driving around kids using those damn things. I have access to a landline, but you don't offer an option to use the house phone. Or I never got a call when I entered my house number. And you don't offer an option to provide access codes via email. GitLab does a much better job at this crap. GitLab workflows are orders of magnitude better than what Microsoft has done. In closing, great job assholes. |
Beta Was this translation helpful? Give feedback.
-
What a load of garbage. Neither can they determine the security status of, for example, a user's TOTP application and backup keys. I also tried contacting support and was given the same easily refutable responses. But they do not care and are unwilling to compromise or accommodate. I migrated my repos to GitLab and cancelled my copilot subscription. It was easy. So should you |
Beta Was this translation helpful? Give feedback.
-
Does anyone know a tool for decoding the unreadable qr code into something human readable ? |
Beta Was this translation helpful? Give feedback.
-
2fa without a phone is easy. I found Authenticators for Firefox and Chrome. How do I get both browsers authorized? Each time I authorize a browser with the recovery key, the other browser dies. Edit: Got it. For this extension must export and import to next browser so that all browsers are using the same key. Be sure to delete any extra copies of the same accounts so you don't get shown bogus response keys. |
Beta Was this translation helpful? Give feedback.
-
I would be happy to use 2FA (MFA) via WebAuthn, which all major browsers already support and is better than “manual” 2FA, but this option seems to be missing. I do not own any mobile devices and the assumption that either everyone does or that no one else deserves to be able to continue using GitHub seems wild to me. |
Beta Was this translation helpful? Give feedback.
-
I need e-mail based 2FA, nothing more. I'm against to use app for sure, against to save anything. You may send it via email or SMS, nothing more or less. Nothing else! We may stop to use github, if email or SMS 2FA options, without saving anything won't be available.
|
Beta Was this translation helpful? Give feedback.
-
Hello, @Anpanator. |
Beta Was this translation helpful? Give feedback.
GitHub did say in a blog post that they were working on making it possible to use security keys as the primary second factor, so if I'm right, this option will be available soon.
Passkey support might also be interesting to you.