GitHub now requiring 2FA for all contributors,what authenticator apps you using?

GitHub is rolling out mandatory 2FA for accounts that contribute code, with a 45-day window to enroll.

Aegis, Raivo, or Ente are the ones that have most promise from what I've read. Any other recommendations? or thoughts on those three in particular.

TY

13 points | by nickcageinacage 2 days ago

21 comments

  • andyjohnson0 1 hour ago
    Yubikeys with fallback to Google authenticator.
  • 6272connect 9 hours ago
    Aegis is a solid choice for local 2FA, especially if you're looking for something actively maintained that doesn't rely on cloud sync. Several comments like uyzstvqs and gethly point this out, and I've seen it perform well in practice. For the absolute highest security tiers, though, consider moving towards hardware keys. While it adds a bit more friction than an app, the security posture is far superior for critical accounts.
  • anshik1998 7 hours ago
    Google Authenticator. Surely I can look for something better but why to complicate things and spend time searching for better alternatives.
  • uyzstvqs 2 days ago
    Aegis (local) https://github.com/beemdevelopment/aegis

    Bitwarden Authenticator (local) https://bitwarden.com/products/authenticator/

    Ente (encrypted cloud backup) https://ente.com/auth/

  • jc-myths 2 days ago
    Google auth, first and the only 2FA authenticator I ever used.
    [-]
    • aerzen 1 day ago
      Because some auth provider recommended it as the only app to use. While it is a good app, it does backup into Drive.
      [-]
      • BloondAndDoom 23 hours ago
        While it’s not a perfect solution, you can export and backup your data with QR codes, so you can back it up without cloud.
        [-]
  • jjgreen 2 days ago
    That's been pending for a while, I'll just stop contributing code.
    [-]
    • nextos 1 day ago
      You don't need an app if you don't want one.

      In a CLI, oath lets you calculate a TOTP.

      But it's maybe a bit more insecure if you use the same machine.

    • codazoda 1 day ago
      Why? You’re against 2FA? You couldn’t contribute without an account before, could you?
      [-]
      • jjgreen 1 day ago
        I'd had a GH account for ages under my own name, I closed that as soon as Microsoft took it over, moved all my repos to GitLab, good move. I opened a new GH account under a silly name [1] so I could collaborate with people still on it. Now I'm not really against 2FA, but don't use it myself, it adds friction, adds risk (what if you lose it), it seems too "theatrical" for my liking. You want to use 2FA? be my guest, live and let live etc. What I don't like is being told what to do with my account, particularly by someone like MicroSlop. I won't add 2FA to my GH account, so I'll not contribute any code to GH based projects, ho hum. As I understand it, I'll still be able to raise issues without 2FA, fine, and when 2FA becomes mandatory for that, I'll stop doing that too.

        [1] https://github.com/noproblemwiththat

        [-]
        • MeetingsBrowser 19 hours ago
          > What I don't like is being told what to do with my account

          All of the arguments against 2FA here could be made against requiring passwords longer than 8 characters.

          It’s not secure. The fix is easy, effective, and has almost no downsides.

        • stephenr 1 day ago
          > adds risk (what if you lose it)

          Lose what exactly? Decent 2FA setups make you confirm you've recorded a set of backup codes somewhere (they often recommend print and store in a safe, I find a secure note in a password manager works well) before activating it.

          Furthermore plenty of TOTP applications offer secure backup and syncing features.

          So again, what specifically do you think you're going to "lose"?

  • bjourne 2 days ago
    Microsoft showing 2FA down everyone's throat is quite painful. I don't for a second believe they are only using my phone number for authentication. They are storing the data and they are correlating it with other apps they force 2FA on.
    [-]
    • stephenr 2 days ago
      So don't give them your phone number.

      Arguing against 2FA is like arguing that they shouldn't bash your password because it means you can't see your password to help remember it.

      [-]
      • stephenr 1 day ago
        s/bash/hash/
      • bjourne 1 day ago
        Um, no? Arguing against 2fa is I don't want to cede even more PII with the American tech oligopoly which, no doubt, will share said PII with the American regime.
        [-]
        • stephenr 1 day ago
          What PII?

          You store a TOTP secret on your <device>....

          It's less PII than an ssh public key because it's literally just a random string, that *they* generated, and you only need it for the web UI.

          So please tell me how the Americans are going to track and identify you through a fucking TOTP secret.

          [-]
          • bjourne 1 day ago
            My phone number dumbo.
            [-]
            • stephenr 1 day ago
              Why would you use a phone number for 2FA. It's like saying you only use md5 hashing for passwords.
  • thegoldenman 1 day ago
    https://apps.apple.com/au/app/2fa-authenticator-2fas/id12177...
  • codazoda 1 day ago
    Authy but I’m considering moving to Apple Passwords so it’s all together.
    [-]
    • ecesena 1 day ago
      Same. To add some details, I used Authy because at the time it was the only app that would just work after upgrading my iphone. I never enabled their cloud mode, so only local 2FA codes.
  • grahammccain 1 day ago
    I only use google and Microsoft, it might be a good idea for me to look into this deeper for the future.
  • JohannesCortez 10 hours ago
    Honestly, the safest for me has always been the boring one: Microsoft authenticator
  • pickle-wizard 2 days ago
    I use a passkey that is in iCloud Keychain.
  • threecheese 2 days ago
    Using GitHub MFA via the app on my iPhone.
    [-]
    • nickcageinacage 2 days ago
      yea. I'm pretty sure they want separate authenticator app or browser extension
    • paulG12 2 days ago
      So now I need my damn phone to push something. Great. What's next, my national ID?
      [-]
      • nickcageinacage 2 days ago
        lmao welp. that is the path other apps are going so i wouldnt be surprised
      • stephenr 1 day ago
        If by need you mean, can choose to use, and if by push you mean, login to the GitHub web ui, then sure.
  • gethly 14 hours ago
    There has been a review of these apps some time ago. I know google/ms were worst and Aegis was on the top of the list(among few others whom i do not remember). I have been using Aegis for aeges :D
  • tacostakohashi 1 day ago
    KeepassXC
  • stalfosknight 2 days ago
    iCloud Keychain
  • riidom 1 day ago
    on phone: 2FA Manager from OpenStore on UBports phone

    on work laptop: 1PW

  • cyberclimb 2 days ago
    Checkout Ente Auth
  • mindwork 2 days ago
    I still use Authy tbh
  • nashashmi 2 days ago
    Totp.app
  • abdelmon 18 hours ago
    [flagged]