Tell HN: GitHub is no more usable without mobile devices

[eimrine]

Since Microsoft bought Github, I have to use a one-time key every time I log in, which is annoying. But today I received a letter in which they insist that I have the second of two factors from the list:

     Security key

     GitHub Mobile

     Authenticator application (TOTP)

     Text messages (SMS)

I don't use smartphones, so all I can do is share my phone number, which will naturally be passed on to spammers. Tell me an alternative to GitHub, please.

[Supply5411]

>without mobile devices

But 50% of the 2FA options you listed do not require a mobile device. Security key and TOTP app. TOTP apps are free. Try authy.

[PennRobotics]

You can use TOTP without a phone, like via PyOTP or through some of the password managers (although on Bitwarden it's a paid feature)

I moved from GH to GitLab but not for authentication reasons.

[zimpenfish]

I use some Rust with the `otp` crate for a single secret ($WORK Okta) and `mambembe`[1] on my server for the rest of them.

[1] https://github.com/jaysonsantos/mambembe

[rapnie]

For reference: https://github.blog/2023-03-09-raising-the-bar-for-software-...

> Tell me an alternative to GitHub, please.

Codeberg.org or self-hosted Gitea / Forgejo. Or Sourcehut if you prefer that more minimalistic style.

[NoZebra120vClip]

GitHub sent you a letter? What does their letterhead look like? What'd they put for a return address? How much postage was on it?

Seriously though, MFA may be annoying, but that's nothing compared to a credential-stuffing hacker taking over your account.

Spend a few bucks on a Yubico Yubikey. You'll be glad you did.

[t312227]

hello,

i'm using hardware security-tokens as my 2nd-factor wherever its possible ... and i'm a big fan of them: they are pretty cheap & i don't need to have a mobile device at hand.

last but not least: imho. they are more secure than mobile devices, which are prone to lots of spy-/malware etc. :)

just my 0.02€

ps. ah, alternative to github ...

selfhosted git!?

with some interface if necessary

* gitweb - easy, fast, "just enough" for a technical person

* cgit - same same

* gitea

* ...

[dave4420]

Why not use a desktop TOTP app?

This is possible using e.g. 1Password, but there must be others you could use as well.

[fabrixxm]

KeePassXC stores user/password and otp. Not the most secure way to use otp, but surely it's handy.

[eimrine]

I visited 1password website and seems like this is not just an app but a paid service which requires some account which means more learning some proprietary software and even more spam in my email. Why there is no option for Github to get rid of any 2-factor for me? I have not any finished project, my name means nothing for the community.

[coldtea]

>which means more learning some proprietary software and even more spam in my email.

Can always quite software and become a farmer or something...

People proposed it as a solution to the OTP for "need mobile phone to use GH" thing. It's one solution, there are others.

>Why there is no option for Github to get rid of any 2-factor for me? I have not any finished project, my name means nothing for the community.

Because they don't make it for you, but for everybody. And security is important for others too. If your account gets pwned, it can be used to spread malware, or to facilitate shady behavior that can't be tracked to the real culprits.

If there was such an option, people would disable it without knowing the risks for "convenience", and then cry and blame GH when their accounts are taken.

[pjerem]

There are tons of open source & free local OTP applications.

[mikecoles]

Github alternatives include Forgejo, Gitlab, and Gitea.