this post was submitted on 05 Jun 2024
46 points (78.0% liked)

Open Source

31679 readers
815 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Just wondering what people are using to meet the 2FA requirement GitHub has been rolling out. I don't love the idea of having an authenticator app installed on my phone just to log into GitHub. And really don't want to give them my phone number just to log in.

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA)...

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 98 points 6 months ago (6 children)

It's fine. The added security is huge

The problem is when they want you to install their TOTP app in order to authenticate (I'm looking at you, steam... fuck off)

[–] [email protected] 23 points 6 months ago* (last edited 6 months ago) (3 children)

I think I'd still prefer to use a 3rd-Party TOTP app but at least Steam's app adds some value by pushing a notification when you login.

[–] [email protected] 24 points 6 months ago

Steam is okay in my book because steam was the OG 2FA provider. They forced 2FA on everyone, all the way back in 2007, they took security seriously before anyone else really cared. So, they're grandfathered in.

[–] [email protected] 2 points 6 months ago

You can use Steam with a regular third-party TOTP authenticator, here's a guide on how to set it up: https://help.ente.io/auth/migration-guides/steam/

[–] [email protected] 12 points 6 months ago (2 children)

If you're rooted, Aegis can import the seed from the Steam app then you don't need it anymore.

[–] [email protected] 3 points 6 months ago (2 children)

Oh, that's awesome!

But I don't have root

[–] [email protected] 7 points 6 months ago* (last edited 6 months ago) (1 children)

You may be able to use an older version of the app that allowed ADB backups, and extract the seed from that.

Another approach is to extract it from the Steam desktop app.

No idea what companies think they're accomplishing by using non-standard TOTP apps (that actually do TOTP under the hood). Microsoft do it so they can track your location and report it to managers when you login because it's something that management asks for. Some companies do it so they can lock you into their services. No idea why Steam does it.

[–] [email protected] 1 points 6 months ago (1 children)
[–] [email protected] 2 points 6 months ago

Thanks, I didn't know about steamguard-cli. And I was able to import the code into Aegis too (just had to set the type to "Steam" so it would generate 5-letter codes instead of normal TOTP)...

[–] [email protected] 11 points 6 months ago

Exactly. At the end of the day there’s nothing being transmitted with OTP and using a standard app isn’t an issue.

[–] [email protected] 4 points 6 months ago
[–] [email protected] 3 points 6 months ago (1 children)

How's that? I've had TOTP in my github account for over a year, on Aegis, and I have not seen them asking me to do anything else.

[–] [email protected] 5 points 6 months ago (1 children)

GitHub is not an offender right now, but I can easily imagine Microsoft forcing some MS OTP app in the future

[–] [email protected] 3 points 6 months ago

Agreed. It would surprise nobody.

[–] [email protected] 2 points 6 months ago (1 children)

I do agree but Steam's app isn't bad. It's great if you use Steam's social features and it makes secure login a total breeze.

[–] [email protected] 2 points 6 months ago (1 children)

It's not that the app is good or bad. It's that you are FORCED to use it when there is no technical reason for that requirement.

Let me reiterate: fuck valve

[–] [email protected] 2 points 6 months ago

Sure, I don't disagree, it shouldn't be a requirement but because the app is good and makes the process easy, I don't have a problem with it.