Any way to get around 2FA on GitHub?
7 points
16 days ago
| 8 comments
| HN
This is really annoying and it won't let me skip it anymore. Is there a way to get rid of it without enabling or logging out of my account?
LorenDB
16 days ago
[-]
Why would you want to bypass 2FA? Yes, it makes logins slightly more annoying, but the security benefits far outweigh the annoyance of typing in a six-digit code when you log into a new device.

As far as I know there is no way to bypass 2FA on GitHub (with the possible exception of deleting all your repositories, but I don't know if they'd let you turn it off at that point).

reply
diego_sandoval
16 days ago
[-]
One possibility is that maybe they don't care about their Github account that much.

I stopped using Twitch when they started forcing 2FA. I didn't really care about my account. I only created it so that I would have a list of the streamers I follow on the left side. But logging in with 2FA was too much work just to be able to see the list, so I stopped using Twitch altogether.

Another use case is to disable Github 2FA so that I can enable 2FA on my email account:

I store my (encrypted) KeePassXC database on Github, but on a new computer I need to log into my email to be able to 2FA into Github, so I have to disable email 2FA because I store the TOTP codes on the KeePassXC database.

If Github didn't have 2FA, I would just login with my password, download the KeePassXC db, decrypt it, and be able to generate TOTP codes for my email.

reply
skydhash
16 days ago
[-]
> I store my (encrypted) KeePassXC database on Github

Why not signup for a cloud storage provider, and store the encrypted password there? Then shorten the link and printout both versions for you to use (the longer is if the shortened version no longer work).

reply
qhwudbebd
14 days ago
[-]
I guess there are two problems it causes that you might want to solve: the annoyance of the extra ceremony and the risk of losing access because you lose the key.

If you don't need more security on top of your existing (presumably high entropy) password, the latter problem might be solved by publishing the totp key. The GitHub bio box is public, mostly pointless and a sensible size...

The former might be solved with a bookmarklet that embeds the key and fills out the relevant form automatically. If you're going to publish the key, presumably publishing this in as convenient a form as possible also makes sense.

reply
jjgreen
16 days ago
[-]
GitLab supports but does not require 2FA.
reply
rekabis
14 days ago
[-]
> GitLab supports but does not require 2FA.

And that is coming back to bite everyone in the ass:

https://arstechnica.com/security/2024/05/0-click-gitlab-hija...

reply
swah
13 days ago
[-]
For a few accounts I prefer convenience, my "2FA bypass" takes half a second typing - "`1", which expands to a call to https://github.com/rsc/2fa using Typinator and puts the code inline...
reply
geekodour
13 days ago
[-]
would you mind sharing how exactly? could be something i could use but i don't think I'll be using typinator but wanted to understand the process better
reply
swah
12 days ago
[-]
Sure, take a look at the write-up here: https://github.com/rsc/2fa and once you have it working on command line, its just a little wrapper with AutoHotKey/Typinator I guess.

The idea came from https://www.raycast.com/cjdenio/two-factor-authentication-co... which is another "almost as fast" way to do the same.

reply
verdverm
16 days ago
[-]
Get a hardware key, which you just have to touch, rather than pulling out your phone and doing the 6-digit thing
reply
moosemess
12 days ago
[-]
You can't, because Github like so many other bad companies have decided to externalize security on to users, forcing them into 2FA so they don't have to pay to support all the irresponsible people whose accounts get compromised. Make no mistake, this is 100% a financial decision that has nothing to do with any security.
reply
noman-land
14 days ago
[-]
Buy a Yubikey. The second factor takes one second.
reply
KomoD
16 days ago
[-]
That'd defeat the point of it?
reply
HenryBemis
14 days ago
[-]
1) Depends on the risk assessment each of us does.

2) Security <> Convenience

I invest with a couple of different brokers. Some require only username+password. Some have the extra SMS/2FA. There is one where I get an automated phone-call and I have to answer, and type the digits shown on the screen. Every 1st of the month I do 'the rounds' in every account I have (bank, broker, cash) and write down on a spreadsheet my 'net worth' so I can track progress, forecast, see with a nice line how much up or down it goes, etc. (friendly suggestion - all people should be doing that); so it amuses me to see so many different authentication mechanisms across the Finance world.

reply
moosemess
12 days ago
[-]
Check out beancount and plaintext accounting. So much better than spreadsheets, IMO.
reply