I'd just like to point out that this is another example of the failure of the overly-rigid submission title policy here. This title tells me almost nothing about the content I'm about to see or whether it's relevant to me. Expecting to see something about 2FA in general or maybe even a library that eases implementation (given the github domain), I was let down when I opened the link and realized I didn't care in the least about this content. I wasted my time browsing, and I wasted even more time writing this rant.
The issue I have with third-party token applications like the Duo Security one that the github guys are recommending is that due to the way how TOTP works (shared secret), I'm practically giving away my second factor to whoever produces the app.<p>Google Authenticator has the advantage that it's Open Source, but I can't really control whether the thing I downloaded in the app store is actually built from the public sources. But at least I can build my own if I have a developer account. Apparently people are having issues with GA on iOS7 though (it tends to forget the keys), so now I'm kinda out of luck.<p>Authy is both closed source and wants my cell phone number, Duo Security is just closed source.<p>I know it's crazy inconvenient in the long run, but I'd much rather install a github official authenticator app than to trust a third-party app with the github token.
Excellent! Unless I'm missing it, it would be nice if there were a way to enforce a policy that members of an organizational team must have two-factor authentication enabled on their accounts.
It's great to see another big web service implementing two-factor authentication. Looks like 2FA is going to be a standard option in web apps in the near future.
I am an international student and I literally hate when they don't let me put in 2 different numbers. I get locked out when I travel. For example, twitter
Shameless plug as this is another great use of my webapp <a href="http://gauth.apps.gbraad.nl/" rel="nofollow">http://gauth.apps.gbraad.nl/</a> (<a href="http://bit.ly/g2fauth" rel="nofollow">http://bit.ly/g2fauth</a>) Just bookmark and use it offline. keys are stored locally.<p>The Chrome extension was forcibly removed from the Chrome Store as BigG was somehow not happy; you can however still install it from here: <a href="http://bit.ly/g2fachrome" rel="nofollow">http://bit.ly/g2fachrome</a>
Cool, I enabled it but had forgotten to download the recovery codes, next time I visited the site it bothered me to download them just in case, nice touch!
I'm beginning to wonder whether "support for 2FA" is a way for companies to get your telephone number into their database. Does using an authenticator application also provide the same information to the company?
Great move by the GitHub team! Glad to see they went with TOTP rather than SMS-only. As they mentioned on their site, Duo Security's mobile application supports TOTP and we'll have an Octocat logo in soon :)
its very good to see github adding 2FA, but I wish they could also support their Indian users for using it via SMS.<p>edit : genuinely interested to know why they are not able to support SMS in some countries and mainly India.
Does anyone have a good way of storing recovery codes? I currently keep them on paper, in my wallet, but with more and more sites using 2fa I'm having to carry more and more recovery codes around.