Skip to main content
Topic: GitHub 2FA - how best to deal with this? (Read 1073 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

GitHub 2FA - how best to deal with this?

Has anyone got any thoughts or recommendations for this, or things to avoid? The sms method doesn't appeal to me, why should I need to give out my phone number to random websites, for bank accounts and so forth it's more understandable. There is some other way using a strangely named Top Of The Pops app instead which GitHub seem to prefer: "We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA" and apparently there are open source versions of those.

Re: GitHub 2FA - how best to deal with this?

Reply #1
First thought was "Really!".

Passed me by. From what little I've just read it seems like passkeys might be the simplest of all the complications.
But
Quote
We found that Linux and Firefox users struggled to use passkeys, as those platforms don’t yet have strong support for passkeys.
https://github.blog/2023-09-21-passkeys-are-generally-available/

I despise 2FA. SMS is not secure anyway and like you I don't want to hand out my phone number . Authenticator apps tend not to work on my phone as it's got a custom rom and even If I flashed a stock rom back onto it they probably still wouldn't work as the most recent is Android 6 (Yes my phone is ancient)

If they force this on me (haven't yet but sounds like it's coming) I'll move my stuff elsewhere.

Thanks for the heads up.

Re: GitHub 2FA - how best to deal with this?

Reply #2
Quote from: gripped – on
the most recent is Android 6 (Yes my phone is ancient)

Aegis works on Android 5+. It's open source and is available on Google Play and F-droid.

Quote from: ####### – on
Has anyone got any thoughts or recommendations for this, or things to avoid?

I use both Aegis and Keepass XC for TOTP. Keepass works great for me on desktop and Aegis works well everywhere else. For some accounts I also have a Yubikey registered, but to be honest TOTP is usually more convenient so I almost always opt to use that instead.

SMS 2FA is shit and I avoid it at all costs. Not only does it require transmitting a secret in the clear, but it's vulnerable to sim swapping attacks. SMS is often used as a back-up when TOTP is enabled, which is as useless as not having TOTP.

Re: GitHub 2FA - how best to deal with this?

Reply #3
Quote from: corysanin – on
I use both Aegis and Keepass XC for TOTP
Again cheers for the heads up. On both counts.
I really need to get up to speed on this stuff. I've used KeepassXC for years as a password manager but had no idea it had TOTP (Will always be "Top of the Pops" to anyone from the UK) functionally. I'll check it out.

My preference is just normal passwords though. Complex and unique to every site. Does the job for me.
I suspect 2FA is forced on us (or will be) due to the shear number of people who reuse passwords.

Re: GitHub 2FA - how best to deal with this?

Reply #4

 TOTP is very good and reliable. I use Aegis also and works flawlessly. The only thing you have to be aware is that the time on the device where you have the authenticator app (eg. on your phone) has to be in perfect sync with time of the server/website you wanna login. If those two times have bigger difference than 20-30 seconds you'll get codes either not yet valid or already expired codes depending if you have 20-30 sec in minus or in excess relative to the website's server you need to login.

 I've used curl to see server time when I had some problems..
 
Code: [Select]
$ curl -I https://artixlinux.org






Re: GitHub 2FA - how best to deal with this?

Reply #5
Another alternative if you want to use your PC is otpclient (GTK, should be available in AUR) or Keysmith (Qt, available in world).
now only the dinit guy in artix

Re: GitHub 2FA - how best to deal with this?

Reply #6
I have not faced with this since I already enabled TOTP to get ride of occasional email auth. EDIT: just saw it going to github. sigh!!!

I use pass-otp to extend the functionality of pass.
use zbarimg to read the Qr code for otpauth.
use passmenu-otp to get the passkey.

I have no take on this matter, It's what it is. sigh!!!

Re: GitHub 2FA - how best to deal with this?

Reply #7
Quote from: gripped – on

If they force this on me (haven't yet but sounds like it's coming) I'll move my stuff elsewhere.



Their stupid nuisance emails say, it depends how old the account is and if you contribute code.
All this nosy data collection to "ensure quality and standards" or so.

I feel like an alien without such device among zombies staring on their silly tracking and locator device.

Re: GitHub 2FA - how best to deal with this?

Reply #8
Quote from: artoo – on
I feel like an alien without such device among zombies staring on their silly tracking and locator device.
I try my best with a degoogled linageos + microg android.
Would struggle to completely give up my smartphone entirely.

You are right about zombies though. Almost every situation where once people would have maybe talked to a stranger is now just rows of zombies staring at the device.

Re: GitHub 2FA - how best to deal with this?

Reply #9
Quote from: Surf3r – on
If those two times have bigger difference than 20-30 seconds you'll get codes either not yet valid or already expired codes depending if you have 20-30 sec in minus or in excess relative to the website's server you need to login.

Most decent TOTP authentication libraries accept the next and previous one-time passwords by default. Unless your device's time is off by multiple minutes you'll probably be fine.

Quote from: LemonPie – on
use zbarimg to read the Qr code for otpauth.

If you see an option to get the token directly from the site, you can skip this step  ;D

Quote from: artoo – on
I feel like an alien without such device among zombies staring on their silly tracking and locator device.

What do you think about Yubikey or other hardware tokens?

Re: GitHub 2FA - how best to deal with this?

Reply #10
Quote
Most decent TOTP authentication libraries accept the next and previous one-time passwords by default. Unless your device's time is off by multiple minutes you'll probably be fine.

Well X-bird and github for sure aren't part of that select club you're mentioning. 😸 The goal is to be perfectly in sync so it makes it harder to be sent via sms or im.

About Yubikey I don't think it's better than the strong pwd method. Everything that can be stored in mind/or in a pwd manager is safer. What if yubikey is lost or damaged? You have to recover it with some biometric mean.

Re: GitHub 2FA - how best to deal with this?

Reply #11
next up, id.me will decide your social credit score and determine your worthiness or lack there of to sign into any site
Cat Herders of Linux

Re: GitHub 2FA - how best to deal with this?

Reply #12
It seems for TOTP they give you a secret key and then you run it through some software to create an encrypted hash of the secret key combined with the current time, and then you give them the hash, presumably so you don't expose the actual key to potential interceptions online.
 With this, plus the regular password, and the authentication token needed to push code to a repo, GitHub now effectively requires 3 passwords instead of one. Using either TOTP or SMS is (or will be) mandatory for GitHub, because the other methods mentioned (which appears to include things like yubikey) all say at the start of the procedure "You must have already configured 2FA via a TOTP mobile app or via SMS."
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

Re: GitHub 2FA - how best to deal with this?

Reply #13

 You need only the pwd for the auth app but you can choose that one to be unlocked, then fill in the pwd for gihub, and then github will wait for your 6 digit code that you'll get from the auth app. That's all..

Re: GitHub 2FA - how best to deal with this?

Reply #14
Quote from: Surf3r – on
Quote
Most decent TOTP authentication libraries accept the next and previous one-time passwords by default. Unless your device's time is off by multiple minutes you'll probably be fine.

Well X-bird and github for sure aren't part of that select club you're mentioning. 😸 The goal is to be perfectly in sync so it makes it harder to be sent via sms or im.

I just used a one-time password from 90 seconds ago and Github let me in.

Quote from: Surf3r – on
About Yubikey I don't think it's better than the strong pwd method. Everything that can be stored in mind/or in a pwd manager is safer. What if yubikey is lost or damaged? You have to recover it with some biometric mean.

The advantage of Yubikey is that it's more difficult (perhaps impossible?) to phish. If losing one is a concern, I think the "best practice" (albeit the least practical) would be to own multiple keys and store them in secure locations. And to be clear, I'm not recommending that.