Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don’t love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don’t want to give them my phone number just to log in.
Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)…
It’s fine. The added security is huge
The problem is when they want you to install their TOTP app in order to authenticate (I’m looking at you, steam… fuck off)
I think I’d still prefer to use a 3rd-Party TOTP app but at least Steam’s app adds some value by pushing a notification when you login.
You can use Steam with a regular third-party TOTP authenticator, here’s a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
You can use Steam with a regular third-party TOTP authenticator, here’s a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/
If you’re rooted, Aegis can import the seed from the Steam app then you don’t need it anymore.
You may be able to use an older version of the app that allowed ADB backups, and extract the seed from that.
Another approach is to extract it from the Steam desktop app.
No idea what companies think they’re accomplishing by using non-standard TOTP apps (that actually do TOTP under the hood). Microsoft do it so they can track your location and report it to managers when you login because it’s something that management asks for. Some companies do it so they can lock you into their services. No idea why Steam does it.
You don’t need root. https://help.ente.io/auth/migration-guides/steam/
You don’t even need root. https://help.ente.io/auth/migration-guides/steam/
How’s that? I’ve had TOTP in my github account for over a year, on Aegis, and I have not seen them asking me to do anything else.
GitHub is not an offender right now, but I can easily imagine Microsoft forcing some MS OTP app in the future
I do agree but Steam’s app isn’t bad. It’s great if you use Steam’s social features and it makes secure login a total breeze.
It’s not that the app is good or bad. It’s that you are FORCED to use it when there is no technical reason for that requirement.
Let me reiterate: fuck valve
You can use it with a regular TOTP app, just like with Steam (but it requires some additional setup: https://help.ente.io/auth/migration-guides/steam/)
SMS is the least secure form of 2FA, and sim swaps are a very real thing. Whatever you’re issues with 2FA apps are, I can 100% say that you should be more concerned about actors getting access to your account.
And this isn’t just GitHub. You should be using a 2FA app for allllll of your services. Breaches are a daily thing, your passwords are online and are available. 2FA may be the only thing defending you right now, and SMS 2fa or email 2fa I wouldn’t trust.
Totally agree! 2FA on all the accounts that support it avoiding SMS. And different passwords (complex, auto generated by a password manager) for each single account. I may be paranoid, but I also use a different email alias (SimpleLogin) for every single account! 😆
Not if the org uses SMS auth as a recover method for your “lost” password
Also putting a phone number into a DB means the attackers who dump the DB now have a very effective way to phish or exploit you with a large attack surface.
I generally don’t let my team enter phone numbers into their account data.
But it should be the last resort. It makes sense why it’s being phased out
If you’re not already using 2fa everywhere you can, you’re already doing it wrong.
2FA is for people who don’t know how to use randomized passwords for every site
Brilliant. Until that website’s unsalted pw database is downloaded through a SQL injection.
Use both. You’re not smarter than security professionals.
- Salt doesn’t matter if your password is unique.
- If they can download data via SQL injection having them log in probably doesn’t matter that much.
- If they can dump your password/hash they can likely also dump the TOTP secret.
- A lot of website security expert attention is focused on raising the minimum security level. If you are using randomly generated passwords + auto-fill you are likely above their main target audience.
So yes, it is slightly better, but in practice that difference probably doesn’t matter. If you use U2F then you may have a meaningful security increase but IMHO U2F is not practical to use on every site due to basically being impossible to manage credentials.
So yes, it is better. But for me using random passwords and a password manager it isn’t worth the bother.
Yeah I just want to type my name to be able to withdraw money from my bank account. No pesky pins or passwords or any form of authentication /s
Even in my bank’s ATM there’s only one password, not 2FA. 2FA is 2 factor auth, there’s no 2FA in the ATMs.
It doesn’t mean the initial password isn’t a layer of authentication, but strictly speaking where I live all ATMs do not employ 2FA.
You can try aegis if you’re on Android, open source, local, great
Also OTPclient on desktop, it can work directly with an Aegis encrypted export file. You enter the decrypt password when you open the app and it can auto-lock after a specified interval.
Is there something similar for windows? I check the github page & there doesn’t seem to be a package for windows. I could try to compile it from source but that a lot of libraries I have to get…
If you’re willing to work with unencrypted exports I think tauthy can import unencrypted Aegis JSON format.
Also, what Aegis exports as “text format” is a standard format of sorts that consists in lines of otpauth:// URLs. There are lots of apps that can import that format, but please note that you lose some extra information from Aegis when you export in that format. Shouldn’t be a problem if you just want to be able to generate codes on desktop.
Aegis looks great - I’ll give this a shot. Thanks for the recommendation!
What’s wrong with using a Foss TOTP app?
