Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.
Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…
2FAS is open source and doesn’t have a cloud presence to store data. You can use it to add 2FA to your other services as well.
SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you’re issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.
And this isn’t just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn’t trust.
Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias for every single account! 😆
same, a simple habit that is secure, I use it always with maximum privacy. One day you will be in a rush, under stress, affected by age, and use your old habits with a valuable asset…
This, but my random, account-specific 20 char passwords are not online and available.
SMS 2FA is still better than no 2FA.
Not if the org uses SMS auth as a recover method for your “lost” password
Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.
I generally don’t let my team enter phone numbers into their account data.
But it should be the last resort. It makes sense why it’s being phased out
Well we could be using passkeys right now if Big Tech weren’t trying to tie them to their own platforms! 🤷
Unfortunately many banks still require it and have no other methods available. I tried to reason with my bank about it but they just do not care.
I just use Bitwarden’s 2FA functionality.
This is premium functionality, for those who don’t know.
Worth the price for Bitwarden’s good practices imo, now if I could export all of my authy keys…
I know it’s possible, but Authy has made it a PITA… fuck authy.
And I heard that if you self host you can use the premium features for free
I believe thats only true for the unofficial version (Vaultwarden - API compatible to any Bitwarden app)
They have a free application too:
https://play.google.com/store/apps/details?id=com.bitwarden.authenticator
Can it export the seeds?
This app is actually free (as in freedom) and not merely gratis.
I have a dedicated phone with a dedicated number which stays at home all the time. Call it (see what I did there) the Authenticator phone, which only job is to authenticate me when needed. Not only for Github, but other services too. Minimizing the risk to lose or break the device. And companies don’t get all my private stuff.
That’s exactly what I’m planning to do, a phone that forwards all sms messages through ntfy (or other service like signal) to me.
On android you can use https://f-droid.org/en/packages/org.projectmaxs.module.smsnotify/ - forwards incoming sms to XMPP
Thanks but I’ll be running postmarketOS and make sms forwarder myself.
Interesting software. Never heard about this. This is not really for me as I don’t do SMS authentification or SMS in general or use that phone at all, other then authenticate myself from time to time. I wonder how this differs from software like KDEConnect in its practically (not in the technical implementation differences).
Works great till somebody does a sim swap on you.
How? It’s physically at home.
Swapping the sim associated with your phone number – from your sim to their sim.
But how? It’s at my home and without physical access to it, its impossible to swap sim card. It’s always at my home. Nobody can can transmit my phone number to their sim card without my knowledge and permission.
As in “Hi PhoneCompany, I’d like a mobile plan with you. Yes, I’d like to bring my old phone number over to the new account.”
Or “Hi PhoneCompanySupport, I’m @thingsiplay and i lost my sim, plz send me a new one. BTW my new address is …”
Ideally it shouldn’t happen, but phone company security is pretty slack sometimes,
That’s a big far fetched from reality, just to build an anti argument. I don’t know where you live, but in Germany this cannot happen. You can’t just order a sim to any address and use the phone number of you wish. You have to provide with 100% certainty that you are the owner of the sim card, as every new registered card/number has to provide your goverment id and your personal signature. Also taking old phone number to new account can only happen, if you provide proof you owned it in the first place.
If you know any case (here in Germany) someone could steal the phone number like you just described, please provide a link. This would be a huge security issue that should not be possible to happen. Nobody in the world can do that to my phone number and I think you just fabricate something that is not possible in Germany.
Ah, that’s good then.
In Australia you really only need a name and date of birth and ID such as a passport or driving license number of the owner. No physical or even photographic proof. Some phone companies send the original sim a notification before moving it, but no response is required and moving the number often only takes 10~30mins.
Banks in Australia commonly use sms codes as 2fa.
A large percentage (20~30%?) of adult Australians have had their ID details leaked in recent years because there are no adequately enforced security requirements or data-retention limits. One of the largest breaches was the second largest mobile phone provider…
I just use my password manager to generate the TOTP. There’s no way I’m going to install an app just to use a website.
Its more secure and ssh keys are more convenient anyways
@StorageB If you prefer command line tools for this, I recommend oathtool. https://www.nongnu.org/oath-toolkit/oathtool.1.html
I use keepassxc to generate the code.
Agreed, me to! And I use syncthing to sync my database between my devices Edit: mine is called KeePassDX but its the same database file
last time I signed into my Microsoft 365 account for work I got two separate 2fa prompts and two captchas, it was like being in an episode of the crystal maze. the mere act of signing into something is now tedious and difficult
pass otp. Works, more secure then SMS, open source.
iCloud Keychain. Has the ability to store 2FA codes and pull them up automatically. GitHub also supports passkeys so most times I just log in with my biometrics or user pass and don’t have to worry about the added layer.
I’m fine with regular 2FA. What I can’t abide is having to use proprietary apps, like Blizzard’s battle net. Steam too.
Passkeys are the future but still a ways off.
Wild tho that you don’t have any other accounts needing 2FA? That’s scary to me as that added security goes a long ass way in regards to hardening your secuity.
I don’t love the idea of having an authenticator app installed on my phone
For anything? Why not? Surely you don’t believe SMS-based TOTP is safer, right?
Wut. TOTP doesn’t involve sending an OTP. That’s the point.
“SMS-based TOTP” is a nonsensical phrase
“Time-based One-Time Password” literally says nothing about the delivery method. Who said it can’t involve remote sending?
And what would you call it, then, SOTP?
Anyway, regardless of the terminology-nitpicking, my point still stands.
The point of being time based is to not send it. That’s the whole point. To avoid that vecotor of attack.
Do you think the SMS codes are not time-based on the companies’ ends? How are they deriving the digits, then?
They are not time based, correct.
Interesting, I didn’t know that. So how do they derive the digits?
Best practice for a cryptographic nonce is to generate them randomly every time
You can try aegis if you’re on Android, open source, local, great
Aegis looks great - I’ll give this a shot. Thanks for the recommendation!
Happy to help
Also OTPclient on desktop, it can work directly with an Aegis encrypted export file. You enter the decrypt password when you open the app and it can auto-lock after a specified interval.
Is there something similar for windows? I check the github page & there doesn’t seem to be a package for windows. I could try to compile it from source but that a lot of libraries I have to get…
If you’re willing to work with unencrypted exports I think
tauthycan import unencrypted Aegis JSON format.Also, what Aegis exports as “text format” is a standard format of sorts that consists in lines of
otpauth://URLs. There are lots of apps that can import that format, but please note that you lose some extra information from Aegis when you export in that format. Shouldn’t be a problem if you just want to be able to generate codes on desktop.
Ideally you don’t want to build your open source software on a proprietary forge service so hopefully nothing of value is on the Microsoft-owned platform so it doesn’t really matter how secure it is.
But you should have a free software TOTP option on you anyhow. I use password-store’s OTP plugin so it is easier to back up & sync.
Did you forget the ./s or something? Lemmy itself is developed on GitHub, as are plenty of other “valuable” open source projects. To pretend nothing of value is built there is putting your head in the sand.
If you’re developing software on GitHub you have a chance at getting some useful feedback, bug reports and maybe even PRs. Like it or not, the network effect is real.
SFC recommends to not use them, so that’s what I will keep (not) doing.
Not /s
It is long past the time to move on. We don’t like the ads, gamified/corporate-friendly social media aspects, & enshitification of the web (which is why we are an Lemmy not Reddit), so why would we want that same platform for our code?
Also Lemmy has every interest in moving as soon as ForgeFed is finalized & merged into a forge the can host since they want the same decentralized values for their forge as their forum/link aggregator platform and have publicly acknowledged it is a problem.
Your projects should follow that example, if not your current projects at least future ones. These megacorporation are not our friends.
I deleted my github account because fuck microsoft. Open source should not be hosted on their servers.
In regards to forced 2fa, as I don’t need it on my projects, there would be literally nothing lost if somebody gets into my account.
Just for the convenience I moved them to my selfhosted forgejo and mirroring to sr.ht as a backup.
