2FA without mobile device

[Anpanator]

Select Topic Area

Question

Body

I understand GitHub wants to require 2FA soon and in principle I think this is a good thing.

However, for various reasons, I cannot use SMS or Authenticator 2FA. I understand WebAuthn is available, but only as a fallback.

Is it possible to use WebAuthn as the main 2FA method? If not, why? Services like Twitter and others seem to allow this.

I have a bunch of security keys here that I could use (and I always enroll at least 2 for backup), but not a mobile device.

I found https://github.com/orgs/community/discussions/23490, but it's almost 5 years old, I'm wondering if anything changed here?

I appreciate any help, as once this is required, I'd have to migrate projects elsewhere otherwise.

[MrShadowDev]

Hi there! I understand that you're looking for alternative options for 2FA on GitHub, since you cannot use SMS or Authenticator 2FA. I'm happy to help you explore some possible solutions.

It's true that GitHub currently does not offer WebAuthn as the main 2FA method, but it is available as a fallback option. However, you can still use your security keys for 2FA on GitHub. In fact, security keys are a recommended 2FA method by GitHub.

To set up security key 2FA on GitHub, you can follow these steps:

1. Go to your GitHub account settings and click on "Security."
2. Under "Two-factor authentication," click "Set up two-factor authentication."
3. Follow the prompts to choose "Security key" as your 2FA method.
4. Insert your security key and follow the prompts to complete the setup.

Once you've set up security key 2FA, you can use your security keys to log in to GitHub without the need for a mobile device.

I hope this helps you find a solution that works for you! Let me know if you have any further questions or if there's anything else I can assist you with.

[MrShadowDev]

Hey, I've got a suggestion for you! If you're having trouble with 2FA options like SMS and WebAuthn, you might want to try using the Authenticator Chrome Extension. I use it myself and find it to be really reliable. Give it a try and see if it works well for you too!

[Anpanator]

I'll note that down as a possible workaround, however it's not a great solution, as it relies on some arbitrary software. The benefit of WebAuthn is that it is supported natively by all major browsers (and if that is compromised, you are doomed in any case).

Thank you for the hint though, I appreciate that.

[MrShadowDev]

Thank you for considering the suggestion. I understand your concerns about relying on third-party software for authentication, and it's great to hear that you value the native support of WebAuthn in major browsers. I hope you find a solution that works well for you and meets your security needs.

[gms2009]

I think github should put out a step by step instruction for firefox on linux to enable 2FA, too difficult to find a way to do it.

[GarthWilson]

In the page Anpanator screenshotted above, I put the verify code in and click "Continue," and nothing happens.  Nothing at all.  It does seem like they insist on requiring a smartphone or mobile device which I do not, and will not, use.  For programming stuff, it's idiotic to even think about doing it on a smartphone.  If github doesn't provide an easy solution, I'll just dump it. I'm only on one thing where I can make edits anyway, and it's not my own repo, and I hate the way github works, so it'll just be an excuse to get completely out, even though it will disappoint the person who owns the repo who wanted my input.

[bbkx226]

[Anpanator]

It really doesn't allow you to do that, at least not without first using SMS or Authenticator, see these screenshots.

[metux]

Note that quite recently they added showing the raw code instead of just the QR code image.
(maybe my own naggling has some share on it)
This makes it a lot easier.

[airtower-luna]

I have a bunch of security keys here that I could use (and I always enroll at least 2 for backup), but not a mobile device.

You don't need a mobile device. The "authenticator app" can be anything that supports TOTP according to RFC 6238. There are various desktop applications that do, for example KeePassXC (that's what Mozilla recommended for people who can't or don't want to use a mobile device when they started to require 2FA for add-on devs), and libraries for various languages in case you want to make your own.

When using a password manager that can store both your password and do TOTP, mind that having both in the same system reduces the security gain, though under most circumstances it's still better than only a password. Consider the security/convenience balance for yourself.

[Anpanator]

That might have to be the workaround (as you said, being on the same system isn't what I'd consider proper 2FA either). It seems like a silly restriction to put into place, especially when WebAuthn is actually supported.

Do you know if it's possible to completely remove TOTP as an 2FA method after the security keys are enrolled?

[airtower-luna]

I don't know, but I'd be surprised if they'd require it only initially. 😅

[mezorian]

Thanks so much. You saved my live.. I don't have a smart phone and searched for a nice way around ugly SMS.

[SkybuckFlying]

TOTP is completely retarded, reason:

Algorithm uses unix time.

Unix time will break in 2036.

[DNin01]

GitHub did say in a blog post that they were working on making it possible to use security keys as the primary second factor, so if I'm right, this option will be available soon.

In the future, you'll also find security keys there as an option for initial setup on supported devices and browsers.

Passkey support might also be interesting to you.

Lastly, we’re already testing passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. Keep an eye on this space for when this functionality is ready for you.

[Anpanator]

I wasn't aware of that blog post. Who knows when "in the future" is, but this answers my question. Thank you.

[MightyBOBcnc]

It has been 267 days since that blog post and there is zero indication that security keys will be allowed as a primary/sole 2FA method.

[Anpanator]

Yep, and it's doubly silly because I received the Email that 2FA will be enforced soon and in there it says I can choose one of 4 methods, including security keys, which is clearly not the case.

[Manuel-K]

I did get an email (that looked very much like a phishing attempt – so well done) and a banner on the top of the page, so I expect that I'll be locked out soon.

[metaphysicsIO]

I understand GitHub wants to require 2FA soon and in principle I think this is a good thing.

It's not a good thing and 2FA isn't even particularly good for security, nor privacy.

Just force us to password reset every 45 days and if we login from a different IP address, make sure confirm in the email. Better alternative: Let us handle our own security.

So now I either have to buy a cell phone and pay for a monthly fee, or I have to install yet-more-software that I don't want on my computer. Fantastic. And for a website I don't have to use much. On the plus side, this would be a great point of concern to bring up getting away from github with my university. So, thanks for that if it works and I wish you well.

[noembryo]

So, there is no way to access GitHub anymore from various devices without give Micro$oft your phone number.
Even using the extensions does not work since you may be on a device without them.
Great move! Thank you for the new problems that I never thought I could have...

[supervisitor]

You have now spoken the true reason: they want your mobile number! Like all those who think they have to offer security, even if you don't want it yourself.

It's ok to offer such features, so that those who think they need them can activate those. But making them mandatory has marketing reasons in every company: the email spam filters are too good, now they want to annoy you on Whatsapp, Telegram and Signal.

If there will be no possibility with brain, eMail, password to log in... then I am gone here (I know, I'm not important for them!). I am already annoyed when I have to search for the verification code in the email after entering the password. This is not the first portal and will probably not be the last.

[noloader]

GitLab. It will send access codes to an email address.

[metux]

Exactly. I'm currently looking for an alternative git hosting service that doesnt torture its users in such ridiculous ways, so i can move away all my repos and delete my account, forever.

[SenadUsername]

so are there any alternatives? Gitlab requres a phone number while registering, which means at some point there you also risk to loose access to your gitlab if you don't have access to your phone. I havent used bitbucket in a while, I dont know at what stage of data collection they are currently.

[yangsfang]

Yep. Seems really backwards. They would rather have you use SMS as a fallback rather than letting you use security keys through WebAuthn. Considering TOTP can be and was phished during highly public hacks of a certain security provider last year, I would think the priority is to let us use WebAuthn first, then enforce 2FA, and also get rid of the SMS option.

[eliot-akira]

I also had an issue with GitHub's 2FA seeming to require a mobile device.

On Linux there is an open-source application called Authenticator, which I found today and used successfully to generate TOTPs (time-based one-time passwords) for two-factor authentication. Note that in some aspects it may not be considered as secure as using another device, but at least it does not compromise your privacy.

Authenticator: A Simple Open-Source App to Replace Authy on Linux

https://flathub.org/apps/com.belmoussaoui.Authenticator

[realDragon11]

You're a lifesaver! I knew when this was announced I'd have to add a random 3rd party service vulnerability to my account, but I was expecting the official ones they linked to actually work on my machine.
Now I'm using some random internet person's code that I got linked in a complaint post to secure my account instead of a password I keep safe and never type in manually!

Isn't forcing security (or rather, extra hoops that add nothing because my phone is the most easily stolen thing I have and I regularly lose access to devices due to hardware issues) on users great?

EDIT was not expecting github to mandate I download a file with the recovery codes in plaintext with a very obvious name
wonder how many PCs have the 2fa recovery just laying in plaintext in their downloads folder now? probably about half of github users I'm betting

[GarthWilson]

eliot-akira, I just installed Authenticator to try.  It won't launch.

[zuzia-dev]

The latest version works well, installation by Flatpak.

[supervisitor]

I am surprised, no one is questioning the introduction of 2FA in general?
We are in a discussion about the introduction of a mechanism for everyone, which actually only a small percentage, if any, requires.
Wouldn't it make more sense to discuss the rejection of the introduction of 2FA instead of accepting the introduction and burning hours to implement it in a way that is acceptable to everyone? Remember, only a few really need it, implementation for everyone else is a waste of time. 😎

[noloader]

GitLab. It will send access codes to an email address.

[metux]

Exactly. We dont need that cruft at all. Supply chain attacks are trivial to defeat by pure git mechs: signed tags.
Git was designed to be secure against untrusted or compromised hosts

[SenadUsername]

Gitlab request your phone number (or credit card info) during registration. I guess it is slightly better since you need a functioning phone only during the initial registration.

[KuroodoD]

I wasn't asked to input a phone number nor a credit card number when I made my GitLab account around 2 months ago, that's strange

[SenadUsername]

Maybe you have logged in with your google, github, bitbucket or salesforce account? If you choose to create a new "standalone" account, then on the second step you are asked for phone or credit card info. I went to the process a couple minutes ago.

[Kitteh6660]

Wouldn't it be possible to, in the future, allow email 2FA as an option? Where if I try to log in, I receive the email containing single-use code. No need for phones, apps or security keys.

[supervisitor]

That's actually the security standard today.
I open a ticket (personal/0/#2312660) to get direct answer from GitHub support (all should do this! they have to get feedback how many don't need this 2FA bs) about a login process without mobile phone. They/GitHub/MS have concerns about mail accounts and wrote: "We cannot securely determine the security status of, for example, a user's email account, and so having 2FA required...". 😉

[noloader]

GitLab. It will send access codes to an email address.

[SenadUsername]

"Wouldn't it be possible to, in the future, allow email 2FA as an option? Where if I try to log in, I receive the email containing single-use code. No need for phones, apps or security keys."

2FA could have easily been optional, but it is not. You could also have a perfectly secure account without 2FA but this is also not an provided option.

If you need a simple git provider, it would be best to migrate somewhere else until things get sorted. As a user that uses github for simple projects and testing I dont want the hassle of setting 2FA up for it and having to have a charged phone constantly on me, and having to set up log in alternatives for 2FA like one-time codes which i have to keep somewhere "safe" on my device since they are not easy to memorize. Btw dont keep your 2FA app and one-time recovery codes on one device. It is best to carry at least two phones with you. One has to be the 2FA phone and the other has to be the phone that contains the one-time recovery codes.

[noloader]

Great job Microsoft! You DoS'd my account with your piss-poor planning.

I don't have a personal cell phone. I hate those god damn things. And I hate driving around kids using those damn things.

I have access to a landline, but you don't offer an option to use the house phone. Or I never got a call when I entered my house number. And you don't offer an option to provide access codes via email.

GitLab does a much better job at this crap. GitLab workflows are orders of magnitude better than what Microsoft has done.

In closing, great job assholes.

[metux]

We should move away. Just havent found a free alternative hoster yet

[kuroodo]

"We cannot securely determine the security status of, for example, a user's email account, and so having 2FA required...".

What a load of garbage. Neither can they determine the security status of, for example, a user's TOTP application and backup keys.

I also tried contacting support and was given the same easily refutable responses. But they do not care and are unwilling to compromise or accommodate.

I migrated my repos to GitLab and cancelled my copilot subscription. It was easy. So should you

[metux]

Does anyone know a tool for decoding the unreadable qr code into something human readable ?

[diomed]

any QR scanner can do that.

[severach]

2fa without a phone is easy. I found Authenticators for Firefox and Chrome. How do I get both browsers authorized? Each time I authorize a browser with the recovery key, the other browser dies.

Edit: Got it. For this extension must export and import to next browser so that all browsers are using the same key. Be sure to delete any extra copies of the same accounts so you don't get shown bogus response keys.

[noembryo]

2fa without a phone makes it really difficult to sign in using a customer's/client's machine.
Too much complication without a real reason..

[metux]

After intensive research, found a solution:

• zbarimg (from zbar-tools package) for decoding the QR code image into string (URL in totp scheme)
• oathtool for generating the tokens
• few lines of python for putting it all together (call zbarimg to decode, extract url params and call up oathtool)

notes:

• you'll explicitly have to enable TOTP mode in oathtool (--toptp)
• keys are in base32 (oathtool flag -b)

But:

github uses a WEAK key !

[metux]

Here's the python script that puts all together - from decoding QR code to generating the current token:

https://gist.github.com/metux/ce43da58d9759019a0fbf4d25ccb1b00

[GarthWilson]

I installed Authenticator to give it a try.  It won't launch.  Doesn't run.  More and more, it's looking like when the deadline arrives in five days (I think it's 1/25/24), I'll be off of github.

[bathos]

I would be happy to use 2FA (MFA) via WebAuthn, which all major browsers already support and is better than “manual” 2FA, but this option seems to be missing. I do not own any mobile devices and the assumption that either everyone does or that no one else deserves to be able to continue using GitHub seems wild to me.

[Cheatoid]

Micro$oft Microsoft logic. However, Authenticator.cc browser/Chrome extension seems to be working.

[arnvidhr]

I need e-mail based 2FA, nothing more. I'm against to use app for sure, against to save anything. You may send it via email or SMS, nothing more or less. Nothing else! We may stop to use github, if email or SMS 2FA options, without saving anything won't be available.

1. I won't install any apps on mobile devices, which possible to loose and to loose in this WAY access to the account.
2. I won't save any codes, to any storage, which can be lost the same as the access to the account, in such way. NO WAY!
3. Give me an E-MAIL 2FA or remove this your mandatory!

[kingp08]

Hello, @Anpanator.
Please try with "Authenticator" App. It works with me.

[Radon8472]

but this requires ONE mobile device.
When you are in a company, where multiple people need to have access to an account, that won`t work, because only one employe would receive the codes, and all others could not access the account