Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.
Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…
What’s wrong with using a Foss TOTP app?
Yeah, this is important to realize. Most good 2FA implementations offer TOTP which doesn’t need a proprietary app. You can store all of your 2FA secrets in whatever app or password manager you like.
ITT: People who think they know better than security researchers
You can try aegis if you’re on Android, open source, local, great
It’s fine. The added security is huge
The problem is when they want you to install their TOTP app in order to authenticate (I’m looking at you, steam… fuck off)
You can use it with a regular TOTP app, just like with Steam (but it requires some additional setup: https://help.ente.io/auth/migration-guides/steam/)
I think I’d still prefer to use a 3rd-Party TOTP app but at least Steam’s app adds some value by pushing a notification when you login.
You can use Steam with a regular third-party TOTP authenticator, here’s a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
Steam is okay in my book because steam was the OG 2FA provider. They forced 2FA on everyone, all the way back in 2007, they took security seriously before anyone else really cared. So, they’re grandfathered in.
I hate that. I think it’s lazy af.
You can use Steam with a regular third-party TOTP authenticator, here’s a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
How’s that? I’ve had TOTP in my github account for over a year, on Aegis, and I have not seen them asking me to do anything else.
GitHub is not an offender right now, but I can easily imagine Microsoft forcing some MS OTP app in the future
Agreed. It would surprise nobody.
If you’re rooted, Aegis can import the seed from the Steam app then you don’t need it anymore.
You don’t even need root. https://help.ente.io/auth/migration-guides/steam/
Oh, that’s awesome!
But I don’t have root
You don’t need root. https://help.ente.io/auth/migration-guides/steam/
Thank you!!
You may be able to use an older version of the app that allowed ADB backups, and extract the seed from that.
Another approach is to extract it from the Steam desktop app.
No idea what companies think they’re accomplishing by using non-standard TOTP apps (that actually do TOTP under the hood). Microsoft do it so they can track your location and report it to managers when you login because it’s something that management asks for. Some companies do it so they can lock you into their services. No idea why Steam does it.
There’s an easier way: https://help.ente.io/auth/migration-guides/steam/
Thanks, I didn’t know about
steamguard-cli. And I was able to import the code into Aegis too (just had to set the type to “Steam” so it would generate 5-letter codes instead of normal TOTP)…
I use keepassxc to generate the code.
Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file
If you’re not already using 2fa everywhere you can, you’re already doing it wrong.
2FA is annoying and not necessary for most things.
Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s
Even in my bank’s ATM there’s only one password, not 2FA. 2FA is 2 factor auth, there’s no 2FA in the ATMs.
It doesn’t mean the initial password isn’t a layer of authentication, but strictly speaking where I live all ATMs do not employ 2FA.
The two factors at an ATM are possession of your bank card + knowledge of your pin. (it also takes your photo, for good measure)
GitHub will happily accept a smart card or whatever, if an extra plastic rectangle jives with you more than an OTP generator.
Card is your username duh. Some people are beyond saving.
“Something you have” is absolutely not equivalent to “something you know”
You are completely unable to enter this conversation, but you think you’re the smartest one in the room.
I bet you’re insufferable.
The card number is your username, a physical card is a separate factor.
2FA is for people who don’t know how to use randomized passwords for every site
Brilliant. Until that website’s unsalted pw database is downloaded through a SQL injection.
Use both. You’re not smarter than security professionals.
- Salt doesn’t matter if your password is unique.
- If they can download data via SQL injection having them log in probably doesn’t matter that much.
- If they can dump your password/hash they can likely also dump the TOTP secret.
- A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.
So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.
So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.
Called it
It doesn’t matter how random or secure your password is, it can still be compromised.
2FA increases security and costs nothing in return.
Yubikey, but thats just a personal preference. A password manager works just as well.
The problem with Yubikey is that it doesn’t have a good enough management story for broad use. I do use it for a few core sites (like GitHub) but if I lose a key I need to get a replacement and register that replacement with every site I have set up U2F 2FA on. This is ok with a few core accounts but doesn’t scale to the hundreds of sites that I have an account with. I am sure to miss a few and then either I can’t log in with the new key or get completely locked out when I lose that key and get a second replacement.
I already use
pass(“the unix password manager”) and there’s a pretty decent extension that lets it handle 2fa: https://github.com/tadfisher/pass-otpWorth noting that this somewhat defeats the purpose of 2fa if you put your GitHub password in the same store as the one used for otp. Nevertheless, this let’s me sign on to 2fa services from the command line without purchasing a USB dongle or needing a smartphone on-hand.
Your two factors shift to possession of your password vault + knowledge of the password to it. You’re okay IMO.
You also still get the anti-replay benefits of the OTPs, though that might be a bit moot with TLS everywhere.
Aegis
Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.
But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.
Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other “valuable” open source projects. To pretend nothing of value is built there is putting your head in the sand.
If you’re developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.
SFC recommends to not use them, so that’s what I will keep (not) doing.
SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you’re issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.
And this isn’t just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn’t trust.
SMS 2FA is still better than no 2FA.
Not if the org uses SMS auth as a recover method for your “lost” password
Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.
I generally don’t let my team enter phone numbers into their account data.
It’s fine. I moved to gitlab years ago for 2fa, so while this doesn’t affect me I would be entirely ok with normal 2fa.
It is normal, right? Not a weird Microsoft 2fa requiring their app?
Yes, normal TOTP
I just use Bitwarden’s 2FA functionality.
This is premium functionality, for those who don’t know.
They have a free application too:
https://play.google.com/store/apps/details?id=com.bitwarden.authenticator
This app is actually free (as in freedom) and not merely gratis.
And I heard that if you self host you can use the premium features for free
I believe thats only true for the unofficial version (Vaultwarden - API compatible to any Bitwarden app)
