I am aware of all those issues - after all I was in US Army IT for quite some time.
Now what I’m very curious is - how can a person log in to github as me? (S)he needs to know my login ID (not E-mail address) and the passphrase I’m using for the login. And most importantly - (s)he needs to know that this login id is actually connected to me. GitHub is smart enough to not to request E-mail as login id: rather they use actual login id.
I also understand why they want to protect paying customers - after all that’s how they make money and they want to protect their identities. Now I am not stupid (and I’d like to give other people the benefit of the doubt) and will never publish my credentials to the public sites and of course to any financial institutions I use. I would rather create a system with at least 2 way login: something you have and something you know. Unfortunately this is not feasible at this point of the life in our society, and so only military uses it. But I would spread it all around the Internet for any financia transaction. Sorry I’m dreaming now.
Anyway. using ssh of course does not guarantee that the account will be secured, because GitHub can be cracked and all those stuff can be stolen.
Now I am not using an easily guessable password. I’m using in fact almost everywhere “a passphrase”. And I NEVER store it anywhere, I NEVER write it anywhere. Because when I was in school my brain was taught to hold a big number of information.
And unfortunately this is not the case with the current generation. But this is ranting again and probably off-topic.
So as you can see - all this security thing is not something new to me. But at the same time I hate saving the password somewhere on my machine. Because if the password is saved locally - it is not secure. Period.
Now what I think you were talking about is a “personal token” - the stuff that is generated every time a person is trying to login and therefore needs to enter. This is called “Personal token” and I know that Northrop is using a special device that generates it every time an employee is trying to login to Northrop web site.
I currently work for the company that is using mobile app to generate such a token in order to let employee have access to their portal.
If GitHub is so concerned about security - why not make an application that will generate such a token and provide it as part of GitHub integration? Then literally no one will be able to use the GitHub account and cracking it will be of no use. Every time I, as a user want to connect, that app will generate the token and will let the connection go after I approve with the app.