The linked-to article says there are other options, like physical security keys, but the GitHub page says:
> After you configure 2FA, using a time-based one-time password (TOTP) mobile app, or via text message, you can add a security key, like a fingerprint reader or Windows Hello.
This looks really cool. Im paranoid about losing my phone and having a hardware key as a necklace or bracelet could be a decent option.
What are other benefits of using something like this?
Is it possible to use this to store normal passwords and use them for logins?
As many others have stated, you can achieve the same thing with a desktop application. If you’re on a Mac, all you have to do is right click a QR verification image, select the appropriate setting from the menu and the built in keychain will automatically set the codes up for you and auto fill when you encounter them. I’m sure there are similar desktop solutions on other platforms.
Even if you couldn’t use a desktop solution, if you really cared that much about maintaining your access to a free product, you could purchase a second hand smartphone for very little money and use it solely for code generators. If you have privacy concerns you can keep it switched off and stored in a metal protein or cocktail shaker as a cheap faraday cage. Alternatively, you could host your own git server using gittea or similar or seek a commercial competitor product with more lax security requirements.
No one is entitled to give you something for free. Asking you to use 2FA in this day and age is not a big ask. So are you asking a genuine question or are you being a contrarian for the sake of it?
> If you’re on a Mac, all you have to do is right click a QR verification image
Thank you. I have no idea how the process works. I've never used TOTP, never seen people use it, and not seen documentation of how it works, much less works with GitHub.
> if you really cared that much about maintaining your access to a free product
The question was more if this would mean the end of my using GitHub. There is one FOSS project that I contribute to there. Otherwise I use paid Mercurial hosting on Sourcehut, which does not require TOTP. (At least not yet.)
> If you have privacy concerns
I don't think I have the self-control to use a mobile device in moderation. I do not want to be like the large number of people I see who go around with their phone in their face. I quit Facebook, and soft drinks, for similar reasons - some things I cannot self-moderate.
> So are you asking a genuine question or are you being a contrarian for the sake of it?
I think it's more that change, after decades of doing things a certain way seemingly without problems, upsets me, so I'm looking for hand-holding.
If the verification code doesn't autofill for whatever reason (doesn't with the aws console login for me) you can type 'cmd+,' to get the safari settings up, go to the passwords tab, and then find the website you're looking for and you'll be able to copy the verification code. Obviously this requires you to use safari, there's probably a similar solution for chrome or other browsers but I don't know.
How would I use it for GitHub? The documentation says "mobile device."
I've never used these these programs before, and don't understand how they go together. How do I configure the app to connect to GitHub? How does the app help me log in? Do you have a pointer to a step-by-step walk-through?
They give you a secret, in the form of a QR code (for smartphone users) or a text string.
You put the secret string in a password manager that supports one time code generation, like Gopass or KeepassXC.
When you login with your user name and password, the 2FA adds a second step where it asks for a "one time code", which your password manager provides. That code is temporary and only works for a short time frame.
at the end of my password entries and the app will treat that field as the source to generate one time codes. There's a browser addon and all I have to do is click the one time code and CTRL+V it into the field.
1) If something is a TOTP application, does that mean it works with every TOTP application? I know that not all web sites work in all browsers, and not all USB-C cables work for every situation (and most SOAP servers seemingly didn't interoperate at all). I don't know and that search won't tell me.
2) Does GitHub focus on mobile phones because that hardware provides a unique id or some other feature that isn't available from other platforms? I don't know, and that search won't tell me.
4) I start going through the list and see monthly fees, freemium model, one time payment license, and required hardware purchases. While others here pointed out a number of free solutions with licenses I'm already familiar with.
Ahh, so your earlier suggestion was offered in the sarcastic RTFM sense? If so, the sarcasm went over my head. I meant my response to be taken as serious user feedback to what I thought was a serious response.
Back in the mid-1990s, I made a comment somewhat along those lines. I was correctly chided for the having the mistaken understanding that just because someone knows many nerdy fields, that doesn't mean they know all nerdy topics. I have tried to bear that in mind since.
30 comments
[ 3.3 ms ] story [ 76.7 ms ] threadI went to the page on "configuring 2FA for your account" at https://docs.github.com/en/authentication/securing-your-acco... and it was ... not that helpful. All of the options seemed to depend primarily on mobile phones or text messages.
I guess I need to use text messages?
The linked-to article says there are other options, like physical security keys, but the GitHub page says:
> After you configure 2FA, using a time-based one-time password (TOTP) mobile app, or via text message, you can add a security key, like a fingerprint reader or Windows Hello.
and at https://docs.github.com/en/authentication/securing-your-acco...
> For GitHub, the second form of authentication is a code that's generated by an application on your mobile device or sent as a text message (SMS).
Edit: Info here https://www.yubico.com/works-with-yubikey/catalog/github/
Without a smart phone, how do I do that?
Even if you couldn’t use a desktop solution, if you really cared that much about maintaining your access to a free product, you could purchase a second hand smartphone for very little money and use it solely for code generators. If you have privacy concerns you can keep it switched off and stored in a metal protein or cocktail shaker as a cheap faraday cage. Alternatively, you could host your own git server using gittea or similar or seek a commercial competitor product with more lax security requirements.
No one is entitled to give you something for free. Asking you to use 2FA in this day and age is not a big ask. So are you asking a genuine question or are you being a contrarian for the sake of it?
Thank you. I have no idea how the process works. I've never used TOTP, never seen people use it, and not seen documentation of how it works, much less works with GitHub.
> if you really cared that much about maintaining your access to a free product
The question was more if this would mean the end of my using GitHub. There is one FOSS project that I contribute to there. Otherwise I use paid Mercurial hosting on Sourcehut, which does not require TOTP. (At least not yet.)
> If you have privacy concerns
I don't think I have the self-control to use a mobile device in moderation. I do not want to be like the large number of people I see who go around with their phone in their face. I quit Facebook, and soft drinks, for similar reasons - some things I cannot self-moderate.
> So are you asking a genuine question or are you being a contrarian for the sake of it?
I think it's more that change, after decades of doing things a certain way seemingly without problems, upsets me, so I'm looking for hand-holding.
https://www.macworld.com/article/626700/verification-codes-a...
If the verification code doesn't autofill for whatever reason (doesn't with the aws console login for me) you can type 'cmd+,' to get the safari settings up, go to the passwords tab, and then find the website you're looking for and you'll be able to copy the verification code. Obviously this requires you to use safari, there's probably a similar solution for chrome or other browsers but I don't know.
Thanks for the pointer!
I've never used these these programs before, and don't understand how they go together. How do I configure the app to connect to GitHub? How does the app help me log in? Do you have a pointer to a step-by-step walk-through?
You put the secret string in a password manager that supports one time code generation, like Gopass or KeepassXC.
When you login with your user name and password, the 2FA adds a second step where it asks for a "one time code", which your password manager provides. That code is temporary and only works for a short time frame.
In my case I use Gopass ( https://github.com/gopasspw/gopass ) and it's as simple as adding a field like
---
totp: thesecretstringblahblah
at the end of my password entries and the app will treat that field as the source to generate one time codes. There's a browser addon and all I have to do is click the one time code and CTRL+V it into the field.
I also (in looking through other threads) found https://github.com/gopasspw/gopass and by reading the code learned how TOTP works.
- Desktop applications
- Web browsers
- Raspberry Pi / Uncommon Linux installations
The actual source code to generate TOTP tokens is some thousands lines of Python - not that much.
2) Does GitHub focus on mobile phones because that hardware provides a unique id or some other feature that isn't available from other platforms? I don't know, and that search won't tell me.
3) I did that search just now, and the top links from Google were almost all for mobile (or paid ads). The main exception was https://en.wikipedia.org/wiki/Comparison_of_OTP_applications .
4) I start going through the list and see monthly fees, freemium model, one time payment license, and required hardware purchases. While others here pointed out a number of free solutions with licenses I'm already familiar with.
The Paradox of Choice is not my friend.
If you are in doubt I suggest user forums like SuperUser.com and Reddit.
Back in the mid-1990s, I made a comment somewhat along those lines. I was correctly chided for the having the mistaken understanding that just because someone knows many nerdy fields, that doesn't mean they know all nerdy topics. I have tried to bear that in mind since.
https://news.ycombinator.com/item?id=35083499
https://news.ycombinator.com/item?id=35083537
https://news.ycombinator.com/item?id=35084166