Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Tell HN: Moving Away from GitHub (2FA)
3 points by dakiol on Sept 30, 2024 | hide | past | favorite | 6 comments
I have forty-something days to enable 2FA on my GitHub account. Nothing against 2FA in general, but GitHub requires me to either provide my phone number (for sms), or install apps (GitHub app or one to get 2fa codes). Passkeys are available but only if I have already 2fa via sms/codes.

Why can’t I just provide a second email as 2FA? That would be so easy to implement. I move around frequently and I don’t really have a permanent phone number (besides I don’t really take my phone with me that much) and I don’t want to rely on yet another app on my phone to login to things.

I use GitHub as a free place to have backups of code I don’t mind being public. So, 2FA is not really something I need (I understand it’s a must for other types of users).



iOS supports TOTP and Passkeys natively in the Password app. If you’re on Android, my apologies, I cannot speak to native secure credential management.

GitHub is mandating 2FA because the risk is too high when users are not practicing good security hygiene (credential spraying, supply chain attacks, etc). If folks bail, they bail, there are other git hosted options available. Secondary email is not a secure auth factor. A Google Titan or Yubikey is ~$40 to have a hardware factor that isn’t a phone.


What would you suggest as an alternative git hosting option for personal use?


I use GitHub, no recommendations for other services, my apologies.


You may self-host a vaultwarden to serve TOTP and install a website extension. To login you just click the extension for code and no need for any mobile app.


Just setup MFA and use passkeys

Store the passkey in your password manager.

Done


Github MFA is (inexplicably) dependent on phone numbers and SMS:

https://github.com/orgs/community/discussions/22500




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: