2FA without dedicated mobile phone/device?

Is there any consideration to have 2FA without dedicated mobile phone (e.g. via e-mail)? I mean you have 2 dedicated separate secured channels and do not necessarily need a second (physical) device. Yes, I know this way is more secured…

Or is there any way to use 2FA on Github without needing a dedicated second device? I am forced to use 2FA by the organization I am supporting (which is absolutly fine for me), but I am actually not willing to provide my mobile number nor installing an app bounding authentication to a specific external physical device (what might break, get lost, been forgotten at home) nor having 3 devices (computer to code, dedicated mobile device authenticated and enabled to use physical key generator via nfc).

Hi @retro64,

Thanks for being part of the GitHub Community Forum. I’ll answer your question as best I can.

At this time, the only options for primary 2FA are via SMS or TOTP app. This is for a number of reasons, including security for your account. I recommend reading our article here on security for your GitHub account for more information.

I understand your desire to not share your mobile number and also your concerns about linking authentication to a specific device. That said, we also offer several fallback methods for 2FA, should you ever lose your device. You could set up 2FA with a TOTP app and then set a number of different fallback options, including a FIDO U2F security key. This helps provide a backup option for accessing your account should you ever lose or damage your primary device with the TOTP app installed.

I hope this helps! Cheers!

1 Like

Hi @nadiajoyce,

thank you for your answer (even if it was not the answer I hoped for…). I still hope there will be a multi channel, one device solution for 2FA in the near future…


I’m hate this nonsese crap of MFA. Company still get hack from inside out anyway! I also not rich enough to own a smart phone, or paid for SMS crap.

1 Like

Please give us the users freedome to by pass this crap without smart phone and SMS.


To be honest MFA using phones or any second device in general is a very bad idea.  Besides the fact that some of us are too poor to own say a smartphone (myself included) it just increases the attack vector and doesn’t solve really anything, and encourages data loss especially among people who wouldn’t even bother to use a strong password in the first place.  There’s no excuse for this.  It’s a very bad idea.  And immoral to force it on people.  As of current I can’t twitch stream, can hardly use steam, can’t really use any service which depends on it.  The only reason I have an email is because thank god there’s some email services that don’t require a **bleep** phone number.  I could see it being optional.  But making it mandatory is just very against personal rights.


Posted in wrong “reply” location. Will go recreate in appropriate location.