How to 2FA with only landline and/or email? (No mobile/cell phone! No 2FA hardware!)

[Fish-Git]

I received an email recently informing me that I must enable 2FA.

The only problem is, I don't own a cell/mobile phone, and thus cannot receive any SMS/text messages, and don't have the money to purchase any new hardware (e.g. YubiKey). (My wife and I are both retired and living on fixed income. We're VERY poor!)

My only choices are a VOICE call to my landline telephone number or email message.

Does your 2FA support my situation?

HELP!  :(

(me: scared!)

p.s. your "support.github.com" web site is ABSOLUTELY NO HELP WHATSOEVER and does not answer my question.

[ldez]

Hello,

You can use KeypassXC which is free and open source and works offline.

Any RFC6238 compliant implementation will work, you can find several implementations depending on your language on GitHub or create your own version.

[Fish-Git]

You can use KeypassXC which is free and open source and works offline.

I have already been using Bruce Schneier's "Password Safe" product for many years, and do not wish to change.

Any RFC6238 compliant implementation will work, you can find several implementations depending on your language on GitHub or create your own version.

I do not wish to create my own.

Can't someone just answer my questions, please?!

1. Does GitHub's 2FA support voice calls to a landline telephone? If yes, how do I enable that option?

2. Does GitHub's 2FA support email? If yes, how do I enable that option?

Thank you!

[ldez]

You can only store TOTP in KeepassXC and not your passwords.

Does GitHub's 2FA support voice calls to a landline telephone? If yes, how do I enable that option?

no

Does GitHub's 2FA support email? If yes, how do I enable that option?

no

[Fish-Git]

Does GitHub's 2FA support voice calls to a landline telephone? If yes, how do I enable that option?

no

Does GitHub's 2FA support email? If yes, how do I enable that option?

no

Then I guess I'm fucked.  :(

Thank you, GitHub.  >:-(

[misterspock1]

You could try making a Google Voice number to get a free online mobile number. There is also a service called TextNow which will give you a free online mobile number. (Both of these use your internet, but neither require a physical phone.) (As well as several other companies.)

[misterspock1]

TextNow would require a tablet, or an Android emulator, it seems though, but I use both for free, though I've never tried either number with Github 2FA, it's never asked me for it.

[Fish-Git]

You could try ...

I'd rather not experiment with something that may not work. I'd rather be provided with step by step instructions on something that is without question known to work. WITHOUT having to install anything. I have accounts with several financial institutions and none of them require 2FA. Why does GitHub all of a sudden?

I've had a GitHub account for years and 2FA was always an OPTION, not a requirement.

I'm currently using Public/Private Key cryptography to login to my existing GitHub account. Why do now need 2FA? My current password has enough bits of entropy as to be impossible to brute force. Why do I need 2FA? Answer: I don't. So why am I being forced to use something I don't want nor need?

[racingmars]

I'm currently using Public/Private Key cryptography to login to my existing GitHub account.

No, you are using ssh keys to push to the repository, not to login to the web interface. Anyone who compromises your login to the web interface (e.g. just your password) can add whatever SSH public keys they want to the list of keys.

For better or worse, the majority of open source software development -- and a healthy portion of commercial software development -- has gravitated toward a monoculture of using GitHub. Supply chain attacks are a huge concern these days, and GitHub's popularity paints a massive target on its back and on the back of every software developer who has a GitHub account. Bits of entropy in your password is only one of many risk factors; for a developer who writes code and releases binaries through GitHub for others to use to not use 2FA as a minimum bar for protecting his own account and in turn protecting the users who use his software is, in this day and age, bordering on negligence. Given the position they play in the software ecosystem, GitHub is long overdue in making 2FA required. To think otherwise is, quite frankly, as misguided as, say, being years behind on operating system security updates while in a sensitive position such as being someone who builds and releases software for public consumption.

[Fish-Git]

TextNow would require a tablet, or an Android emulator,

I don't have (nor want!) a tablet, nor an Anroid emulator. I don't want to have to install anything just to login to my damn GitHub account for crying out loud. I just want to be able to login to my GitHub account without jumping through hoops so I can continue development of our Open Source product that I and others have been maintaining for the past 20+ years.

[misterspock1]

Google Voice only needs a Gmail account...no tablet or android emulator required. That could be less hoops for you... Just trying to be helpful in the face of your troubles! Appreciate all the work you do!

[Fish-Git]

Google Voice only needs a Gmail account...

Nothing to install? Sounds great! What do I do? What are the step-by-step instructions?

[misterspock1]

https://voice.google.com/about Go here: Click Personal use and Web and go from there. Hope it works!

[misterspock1]

I have confirmed that my free Google Voice Number on the Web did authenticate with Github 2FA.

[misterspock1]

It took a few clicks after I put the six-digit code in, but it did finally go through!

[Fish-Git]

https://voice.google.com/about Go here: Click Personal use and Web and go from there. Hope it works!

I have confirmed that my free Google Voice Number on the Web did authenticate with Github 2FA.

Well it must be because YOU have a mobile phone, because it doesn't work for me. I just tried it.

I went to the URL you provided and began the process, and when presented the dialog where you choose (select) which phone number you want to use as your new new Google Voice phone number, it stated quite clearly IN BOLD at the top of the dialog:

You must have an existing US-based mobile phone number to qualify.

which as I said, I do not have.

Nevertheless, I chose a phone number anyway, and went on to the next step: the Verification step, where you "link" your chosen Google Voice phone number with your "real" phone number (by entering your real phone number into their dialog box and clicking the Verify button to obtain your verification code).

The initial text of the Verification dialog was:

Google Voice will send you a text message containing a 6-digit code.
You can also verify by phone.

Clicking on the "verify by phone" link changes the text of the dialog box to:

To verify this number, Google Voice will call it and provide a 6-digit code.
You can also verify by text message.

So I entered my home NON-mobile (land line) phone number, and clicked the "Call" button to receive by 6-digit verification code by voice...

...and was immediately presented with an ERROR dialog, saying:

Unable to verify number

Google Voice couldn't verify this number via phone. Would you
like to verify by text message instead?

Having NO WAY to receive any SMS (text) message, I was left with no choice but to click "Cancel".  :(

So NOW what?  :(

It would appear I am truly fucked.

Thank you very much, GitHub!  >:-(

[misterspock1]

I'm sorry to hear that, I was able to confirm mine with a landline number. You can verify with a friend's cell number, if you have a friend you trust with a cell, from what I read. According to the help, you should be able to verify with a landline number: https://support.google.com/voice/answer/165221?hl=en&co=GENIE.Platform%253DDesktop Maybe you could contact support as well. That is unfortunate.

[misterspock1]

I did find one more possible service that looks like it has a web-based interface, you could try signing up with this: https://messages.textfree.us/register I have not tried this service, though.

[racingmars]

TOTP is a far better 2FA solution than SMS / phone calls. Just install a TOTP-capable application to generate your code for you and move on with life, and start using it for everything else that supports TOTP as well while you're at it!

[kuroodo]

I've tried contacting support and they're refusing to acknowledge user concerns nor make accomodations. They don't care.

I migrated my repositories to GitLab and recommend you do to. Was straightforward.

[Fish-Git]

TOTP is a far better 2FA solution than SMS / phone calls. Just install a TOTP-capable application to generate your code for you and move on with life, and start using it for everything else that supports TOTP as well while you're at it!

Since it looks like the hardware solution I was investigating appears to be a no-go (*), yes Matthew, I am currently investigating that route:

• https://github.com/arachsys/totp

It's not designed for Windows, but as a long time Windows developer, it looks simple enough that I'm hoping I can get it to build and run on my Windows system without too much effort. We'll see.

Of course, if this approach doesn't work then I truly will be S.O.L.!  :(

---

(*) Ref: How to set up a YubiKey with GitHub?

Requirements:

• Mobile phone to receive SMS with one-time passwords (or with Google Authenticator installed to receive one-time passwords through the application). Needed for the initial setup and backup.

[misterspock1]

Don't forget to give that other site, I listed a try! It may work!

[rlayers]

Hey, just a heads up that @Fish-Git is not the only one who can't use a cell phone for authentication: I'm in the same boat, and there are plenty of others out there too.

I appreciate everyone's suggestions so far, however, workarounds involving third party accounts, services, and or applications seem like poor ways to resolve a flawed Github policy.

I understand and support the need for 2FA. But Github really needs to add some additional authentication options. Just about every other company requiring 2FA supports non-cellphone options such as landlines, e-mail confirmations, etc.

2FA does not means 'cellphone'!

[righthalfplane]

The purpose of forcing their form of 2FA is to eliminate users. They know that a lot of people will not be able to do it.

Moving to gitlab was less work then trying figure a way around no cell phone - up and running in 20 minutes.

Bye guys - until you have add e-mail confirmations.

[Fish-Git]

*** UPDATE ***

I have found a very small very simple TOTP program (command-line utility) that I am happy to report works well with GitHub. No integration required. When you login to GitHub with 2FA enabled, and it asks you for the 6-digit 2FA verification code, you simply open a Command Prompt window (Terminal window to all you *nix geeks out there) and run the program.

It waits for you to enter your "secret", and then after doing so, prints out the corresponding time-based 6-digit verification code which you then simply type into the verification code input box on your GitHub login page. VOILA! You're logged in.

I tested it by creating a brand new dummy/temporary GitHub account (solely for testing 2FA with), and enabled 2FA ("TOTP" type). When you do that, it (GitHub) then tells you what your super-secret TOTP "secret code" is (which you must then save somewhere safe (AND NOT EVER LOSE!), such as in your password safe for example), as well as your list of recovery codes too (which you should also save in your password safe and NOT EVER LOSE).

From then on, logging into GitHub with 2FA is very simple: you enter your username and password like normal. It then asks you to enter your verification code. You start your TOTP program (see further below), copy your "secret" from your password safe, paste it into the program and it calculates and prints your verification code. Enter that verification code into GitHub's web page, and VOILA! You're logged in.

Very simple. Very easy. And most importantly, it WORKS!

And you don't need a phone, you don't need SMS, you don't need email, you don't need to install any type of complicated 3rd party "app". All you need is this very small command-line utility. (It's only a 25K executable)

It's less than 100 lines long (very short and sweet and thus very lightweight) and it's Open Source:

• https://github.com/arachsys/totp

Right now it's a *nix program as it is written, but converting it into a Windows program wasn't that difficult.

I hope to be issuing a PR (Pull Request) for Chris within a couple of days, so his handy program can be compiled out-of-the-box on Linux OR Windows.

That is all for now. If anyone wants my code in the mean time, contact me and I'll be glad to send it to you.

Hope that helps!

[Fish-Git]

No, I don't call the TOTP process itself (i.e. the hoops one has to jump through) simple!

That pretty much still blows chunks, just like always.

What I called simple, was the TOTP 'C' program itself that I had to modify in order to have a tool that people in my or similar situations could use to work around Microsoft's insanity. THAT is what I called simple: the program. Not this bullshit TOTP process.

[SkybuckFlying]

Without the libcrypto-3-x64.dll it's useless ! Nice try and thanks anyway !

Installing this is a solution to get it working:

https://slproweb.com/products/Win32OpenSSL.html

[SkybuckFlying]

I tried it, this tool fails massively on Windows 11:

Live stream showing the mess in action, watch especially the end of the video if short on time:

https://www.youtube.com/live/hfBqzlVsUmI?si=V7UxHNL9pzovCU3e

Tool simply seems to hang and does nothing...

Bye for now,
Skybuck.

[SkybuckFlying]

It does seem to be working, but it is weird as fuck, command line parameters not working, must use the keyboard to type in the secret and then press enter ?! Was it too much for you to document this properly ?!?!?!?!?!?!?!?!?:

https://www.youtube.com/live/MyyBbhV00rs?si=Mq4chy-ig6xJWYSa

I suspect it's done this way to make copy & paste hard ?!

By the way when trying to copy & paste into windows 11 terminal window it will reveal the contents of the text !

Don't do this on a live stream with your bitcoin private keys !

What a fucking mess !

Laterrrrrr

[rvita]

I just want to concur. I am not a programmer and I do not use command line, but I do need to use github for work, almost daily. This change has caused me serious issues and without a human to help me, I am screwed. I do not think github is aware of the diversity of their users and/or they do not care.

[Fish-Git]

I STILL say 2FA shouldn't be required though. I am still not happy about that.   >:-(

2FA should always be only optional, not required.

Hell, even the United States CISA (Cybersecurity and Infrastructure Security Agency) simply recommends that it be used, but does not state anywhere or even recommend anywhere that it should be required by any industry.

I'm not aware of any well respected security site anywhere on the web that demands (or even recommends) that it should be required!

[Fish-Git]

Right now it's a *nix program as it is written, but converting it into a Windows program wasn't that difficult.

I hope to be issuing a PR (Pull Request) for Chris within a couple of days, so his handy program can be compiled out-of-the-box on Linux OR Windows.

I decided not to do that. Instead, I've created a separate repository for it:

• https://github.com/Fish-Git/totp

You can download either the prebuilt executable as-is, or clone the repository and build it for yourself from source.

I hope this helps others to deal with this completely unreasonable and abhorrent dictatorial GitHub mandate.

[julian-smith-artifex-com]

Thanks to @Fish-Git for posting this solution.

One can also use command-line tool oathtool, available on Linux/Devuan with apt install oathtool, or OpenBSD with pkg_add oath-toolkit:

oathtool -b --totp @secrets/github-key

Where secrets/github-key is the path of a file containing the github secret from the Authenticator app setting. Like totp this prints out the verification code.

[Or oathtool -b --totp - will read the secret from stdin.]

[rvita]

I need help. I need to use github for work, but I am not a programmer. I do not have a cell phone and I do not understand any of the solutions discussed above. I do not know how to install or run anything. So does this mean I will loose access to github?