How to use only security keys as 2fa? #22500
-
Hi, I have two security keys and I would want it to be the only source of 2fa for my account but Git Hub still allows me to authenticate using text messages or recovery codes. It seems I can’t manage these options as I would like to. Moreover this documentation Configuring two-factor authentication - GitHub Docs says
I could accept to keep the recovery codes option, but I don’t want text messages or TOTP application. Can I configure 2fa like this ? Thanks for reading me 😊 |
Beta Was this translation helpful? Give feedback.
Replies: 12 comments 66 replies
-
Hey @alex-meunier, we intend to support using a security key as the initial two-factor authentication method without the need to first setup an authenticator app or SMS number, but we do not have a timeframe for when this will be implemented. In the meantime, you’ll have to configure a TOTP app or SMS number before you can use a security key. |
Beta Was this translation helpful? Give feedback.
-
Any progress on this? I definitely do not ever want to use my phone for authentication, only the security key. |
Beta Was this translation helpful? Give feedback.
-
GitHub is working on making it possible to use security keys as the primary second factor, based on what they said in a blog post.
|
Beta Was this translation helpful? Give feedback.
-
It's great to see GitHub rolling out the 2FA requirement for active contributors! When will we be able to choose only security keys and passkeys for sign-in to GitHub? In other words:
It is already the case in practice that my security keys are the only way I can authenticate to GitHub (except for GitHub Mobile). My TOTP credential is stored on the same YubiKeys as I use exclusively as security keys. My recovery codes are stored in my password vault, which is locked with the same YubiKeys as I use exclusively as security keys. Ergo, forcing me to set up TOTP and recovery codes does not make me less likely to lose access to my account. All it does is increase my attack surface. I'm certain this is true of many other users as well. I'm not asking GitHub to drop support for these authentication methods. But please allow me to delete them from my account if I want to. Though I guess as a workaround, I could set up a new TOTP key and generate new recovery codes, and immediately destroy both instead of saving them. However that still doesn't eliminate GitHub Mobile as a downgrade attack vector. |
Beta Was this translation helpful? Give feedback.
-
I just got the "Your GitHub account will soon require 2FA" email and I don't care about 2/MFA. I have very secure passwords and have them secured very well. The email mentioned this:
But I can see that only TOTP and SMS is offered when enabling 2FA. I could use security keys (would go to same password vault as the actual password for the account.. doesn't make any sense, but if that gets around this github 2FA stuff, great). Otherwise have to think about leaving for another solution. |
Beta Was this translation helpful? Give feedback.
-
Has Github dropped support for Yubikeys? The link on how to do this is now a dead link: Here is a detailed configuration guide for setting up your YubiKey with GitHub for commit verification and for SSH-based authentication. |
Beta Was this translation helpful? Give feedback.
-
Dear GitHub, Since you guys are going to force 2FA to many users (https://www.bleepingcomputer.com/news/software/github-warns-users-to-enable-2fa-before-upcoming-deadline/), it is kind of annoying to me that your site doesn't support a 2FA that best respect the user's privacy! GitLab have done it right already. There is no reason for you to not do it. |
Beta Was this translation helpful? Give feedback.
-
In case you own Yubikeys you can use the "Yubico Authenticator" app (in my case the Windows desktop app) to complete the whole TOTP process for the initial 2FA setup at GitHub and store everything related to it (except GitHub's recovery codes) on a Yubikey. I did that myself and then additionally added the same Yubikey as a "security key" to my GitHub account. To sign in to GitHub I can now either insert and press the YubiKey or I can insert the Yubikey, launch the Yubico Authenticator app, read the TOTP from the app and enter it on GitHub. |
Beta Was this translation helpful? Give feedback.
-
Also used winauth to set up originally.
…On Tue, Feb 6, 2024 at 10:04 PM warwick-davis ***@***.***> wrote:
i used winauth to setup the initial authenticator and then threw it away
after i was done with it. hope that helps. very angry with github for
forcing this shit down my throat when my password is plenty secure. i'd be
glad to add a yubikey only but nope
—
Reply to this email directly, view it on GitHub
<#22500 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BBWQ37JCQXV56N5WN6IWNOLYSLVK7AVCNFSM6AAAAAAQICY43CVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DGOJQGM4DO>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Two years later, still can't make a security key the sole authentication method of my github account. Absolutely unacceptable for an organization that houses this much mission critical code. |
Beta Was this translation helpful? Give feedback.
-
There appears to be no way to remove TOTP over SMS from my 2FA configuration. I want to only use Ubikey. I also do not want to use recovery codes as if someone gains access to them, my account is completely compromised. |
Beta Was this translation helpful? Give feedback.
-
Over 2 years on and we still don't have support for only security keys for 2FA... |
Beta Was this translation helpful? Give feedback.
Hey @alex-meunier, we intend to support using a security key as the initial two-factor authentication method without the need to first setup an authenticator app or SMS number, but we do not have a timeframe for when this will be implemented. In the meantime, you’ll have to configure a TOTP app or SMS number before you can use a security key.