2FA without dedicated mobile phone/device? #23490
-
Is there any consideration to have 2FA without dedicated mobile phone (e.g. via e-mail)? I mean you have 2 dedicated separate secured channels and do not necessarily need a second (physical) device. Yes, I know this way is more secured… Or is there any way to use 2FA on Github without needing a dedicated second device? I am forced to use 2FA by the organization I am supporting (which is absolutly fine for me), but I am actually not willing to provide my mobile number nor installing an app bounding authentication to a specific external physical device (what might break, get lost, been forgotten at home) nor having 3 devices (computer to code, dedicated mobile device authenticated and enabled to use physical key generator via nfc). |
Beta Was this translation helpful? Give feedback.
Replies: 20 comments 28 replies
-
Hi @retro64, Thanks for being part of the GitHub Community Forum. I’ll answer your question as best I can. At this time, the only options for primary 2FA are via SMS or TOTP app. This is for a number of reasons, including security for your account. I recommend reading our article here on security for your GitHub account for more information. I understand your desire to not share your mobile number and also your concerns about linking authentication to a specific device. That said, we also offer several fallback methods for 2FA, should you ever lose your device. You could set up 2FA with a TOTP app and then set a number of different fallback options, including a FIDO U2F security key. This helps provide a backup option for accessing your account should you ever lose or damage your primary device with the TOTP app installed. I hope this helps! Cheers! |
Beta Was this translation helpful? Give feedback.
-
Hi @nadiajoyce, thank you for your answer (even if it was not the answer I hoped for…). I still hope there will be a multi channel, one device solution for 2FA in the near future… |
Beta Was this translation helpful? Give feedback.
-
I’m hate this nonsese crap of MFA. Company still get hack from inside out anyway! I also not rich enough to own a smart phone, or paid for SMS crap. |
Beta Was this translation helpful? Give feedback.
-
Please give us the users freedome to by pass this crap without smart phone and SMS. |
Beta Was this translation helpful? Give feedback.
-
To be honest MFA using phones or any second device in general is a very bad idea. Besides the fact that some of us are too poor to own say a smartphone (myself included) it just increases the attack vector and doesn’t solve really anything, and encourages data loss especially among people who wouldn’t even bother to use a strong password in the first place. There’s no excuse for this. It’s a very bad idea. And immoral to force it on people. As of current I can’t twitch stream, can hardly use steam, can’t really use any service which depends on it. The only reason I have an email is because thank god there’s some email services that don’t require a **bleep** phone number. I could see it being optional. But making it mandatory is just very against personal rights. |
Beta Was this translation helpful? Give feedback.
-
Posted in wrong “reply” location. Will go recreate in appropriate location. |
Beta Was this translation helpful? Give feedback.
-
I haven’t tested it with Github 2FA, but KeePassXC is a desktop password manager that can also do TOTP. Carefully consider whether keeping the TOTP tool on (presumably) the same computer that you use to log in fits your security needs. |
Beta Was this translation helpful? Give feedback.
-
I don’t own any cell-network device. Does it mean that I’ll never be able to use my github account I use now? |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
You can also, for a nominal monthly fee, get a phone number at a provider, e.g., voip.ms. That phone number, which does not ever have to be used to send or receive phone calls, can forward you SMS messages via email, and you can send messages as well. |
Beta Was this translation helpful? Give feedback.
-
Any updates on this? I don’t own a phone and apparently 2FA will be enforced eventually. GitHub to enforce 2FA for all code contributors by the end of 2023 | VentureBeat Are there any known working options for 2FA such as USB/smart-card that don’t require a phone? |
Beta Was this translation helpful? Give feedback.
-
As I mentioned above you can use something that implements TOTP on your desktop, like KeePassXC. No phone needed. 🙂 |
Beta Was this translation helpful? Give feedback.
-
Thanks, KeePassXC works great! I was confused by the wording on github’s 2FA page which made it seems like I might need a phone (use of QR code for e.g.). But in fact it’s not needed at all. |
Beta Was this translation helpful? Give feedback.
-
Yes, GitHub supports using a security key (like a YubiKey) for 2FA without requiring a dedicated mobile phone or app. This method enhances security and doesn't rely on a second physical device. |
Beta Was this translation helpful? Give feedback.
-
For me sending the verify code to email already is multi-factor-authentication. Since I use private mode browser all most all the time, entering the code also all most all the time. There are no op-out option at all.... It like some one got hacked, and become everyone else duty to do extra work! Sound very non-green. |
Beta Was this translation helpful? Give feedback.
-
So, what I'm hearing is that it's time to move somewhere else if we don't want to worry about permanently losing access to our code. Any suggestions? |
Beta Was this translation helpful? Give feedback.
-
One thing to note here in this thread about the reliance on a physical device as your TOTP generator. If you save the 2FA serial number you receive when setting up your 2FA device, you can plug that into a number of different devices and applications to generate the same keys. I never set up a 2FA without recording the serial number in my password app. That way, if I lose a phone, or Google Authenticator is discontinued, or Authy is discontinued, I simply plug that serial number into a new TOTP generator, and have exactly the same codes available as my original device. 1Password has an awesome method of storing the serial number that actually generates the codes directly, so if I have my phone handy, I can use it for 2FA. If I don't, I can get my codes from 1Password. And on a couple other systems, I have Authy available. All of them generate the same codes. Might be worth considering using multiple TOTP generators as a solution. |
Beta Was this translation helpful? Give feedback.
-
Stop spamming my email with your 2FA reminders! I will not use that 2FA garbage and I already moved all my stuff to a more user friendly git hoster. You can stick that garbage where the sun doesn't shine... and your idea of "Contact Us" is a bloody chat bot? FU! |
Beta Was this translation helpful? Give feedback.
-
I trust my own password, and I keep in my brain. Are you GitHub ? |
Beta Was this translation helpful? Give feedback.
-
Unless I can find a white hat solution to this, it's time for me to leave the tiny little neurotypical world of microsoft. Wishing you all peace, happiness and prosperity without intermediary. All the best. |
Beta Was this translation helpful? Give feedback.
Hi @retro64,
Thanks for being part of the GitHub Community Forum. I’ll answer your question as best I can.
At this time, the only options for primary 2FA are via SMS or TOTP app. This is for a number of reasons, including security for your account. I recommend reading our article here on security for your GitHub account for more information.
I understand your desire to not share your mobile number and also your concerns about linking authentication to a specific device. That said, we also offer several fallback methods for 2FA, should you ever lose your device. You could set up 2FA with a TOTP app and then set a number of different fallback options, including a FIDO U2F security key. This…