Is there any consideration to have 2FA without dedicated mobile phone (e.g. via e-mail)? I mean you have 2 dedicated separate secured channels and do not necessarily need a second (physical) device. Yes, I know this way is more secured...
Or is there any way to use 2FA on Github without needing a dedicated second device? I am forced to use 2FA by the organization I am supporting (which is absolutly fine for me), but I am actually not willing to provide my mobile number nor installing an app bounding authentication to a specific external physical device (what might break, get lost, been forgotten at home) nor having 3 devices (computer to code, dedicated mobile device authenticated and enabled to use physical key generator via nfc).
Solved! Solved! Go to Solution.
Thanks for being part of the GitHub Community Forum. I'll answer your question as best I can.
At this time, the only options for primary 2FA are via SMS or TOTP app. This is for a number of reasons, including security for your account. I recommend reading our article here on security for your GitHub account for more information.
I understand your desire to not share your mobile number and also your concerns about linking authentication to a specific device. That said, we also offer several fallback methods for 2FA, should you ever lose your device. You could set up 2FA with a TOTP app and then set a number of different fallback options, including a FIDO U2F security key. This helps provide a backup option for accessing your account should you ever lose or damage your primary device with the TOTP app installed.
I hope this helps! Cheers!
Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!
thank you for your answer (even if it was not the answer I hoped for...). I still hope there will be a multi channel, one device solution for 2FA in the near future...
I'm hate this nonsese crap of MFA. Company still get hack from inside out anyway! I also not rich enough to own a smart phone, or paid for SMS crap.
To be honest MFA using phones or any second device in general is a very bad idea. Besides the fact that some of us are too poor to own say a smartphone (myself included) it just increases the attack vector and doesn't solve really anything, and encourages data loss especially among people who wouldn't even bother to use a strong password in the first place. There's no excuse for this. It's a very bad idea. And immoral to force it on people. As of current I can't twitch stream, can hardly use steam, can't really use any service which depends on it. The only reason I have an email is because thank god there's some email services that don't require a **bleep** phone number. I could see it being optional. But making it mandatory is just very against personal rights.