Rendered at 13:51:42 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
6272connect 12 minutes ago [-]
Aegis is a solid choice for local 2FA, especially if you're looking for something actively maintained that doesn't rely on cloud sync. Several comments like uyzstvqs and gethly point this out, and I've seen it perform well in practice. For the absolute highest security tiers, though, consider moving towards hardware keys. While it adds a bit more friction than an app, the security posture is far superior for critical accounts.
JohannesCortez 54 minutes ago [-]
Honestly, the safest for me has always been the boring one: Microsoft authenticator
Google auth, first and the only 2FA authenticator I ever used.
aerzen 1 days ago [-]
Because some auth provider recommended it as the only app to use. While it is a good app, it does backup into Drive.
BloondAndDoom 14 hours ago [-]
While it’s not a perfect solution, you can export and backup your data with QR codes, so you can back it up without cloud.
jc-myths 11 hours ago [-]
[dead]
jjgreen 2 days ago [-]
That's been pending for a while, I'll just stop contributing code.
nextos 1 days ago [-]
You don't need an app if you don't want one.
In a CLI, oath lets you calculate a TOTP.
But it's maybe a bit more insecure if you use the same machine.
codazoda 2 days ago [-]
Why? You’re against 2FA? You couldn’t contribute without an account before, could you?
jjgreen 1 days ago [-]
I'd had a GH account for ages under my own name, I closed that as soon as Microsoft took it over, moved all my repos to GitLab, good move. I opened a new GH account under a silly name [1] so I could collaborate with people still on it. Now I'm not really against 2FA, but don't use it myself, it adds friction, adds risk (what if you lose it), it seems too "theatrical" for my liking. You want to use 2FA? be my guest, live and let live etc. What I don't like is being told what to do with my account, particularly by someone like MicroSlop. I won't add 2FA to my GH account, so I'll not contribute any code to GH based projects, ho hum. As I understand it, I'll still be able to raise issues without 2FA, fine, and when 2FA becomes mandatory for that, I'll stop doing that too.
> What I don't like is being told what to do with my account
All of the arguments against 2FA here could be made against requiring passwords longer than 8 characters.
It’s not secure. The fix is easy, effective, and has almost no downsides.
stephenr 19 hours ago [-]
> adds risk (what if you lose it)
Lose what exactly? Decent 2FA setups make you confirm you've recorded a set of backup codes somewhere (they often recommend print and store in a safe, I find a secure note in a password manager works well) before activating it.
Furthermore plenty of TOTP applications offer secure backup and syncing features.
So again, what specifically do you think you're going to "lose"?
I only use google and Microsoft, it might be a good idea for me to look into this deeper for the future.
codazoda 2 days ago [-]
Authy but I’m considering moving to Apple Passwords so it’s all together.
ecesena 1 days ago [-]
Same. To add some details, I used Authy because at the time it was the only app that would just work after upgrading my iphone. I never enabled their cloud mode, so only local 2FA codes.
gethly 5 hours ago [-]
There has been a review of these apps some time ago. I know google/ms were worst and Aegis was on the top of the list(among few others whom i do not remember). I have been using Aegis for aeges :D
pickle-wizard 2 days ago [-]
I use a passkey that is in iCloud Keychain.
threecheese 2 days ago [-]
Using GitHub MFA via the app on my iPhone.
nickcageinacage 2 days ago [-]
yea. I'm pretty sure they want separate authenticator app or browser extension
paulG12 2 days ago [-]
So now I need my damn phone to push something. Great. What's next, my national ID?
stephenr 19 hours ago [-]
If by need you mean, can choose to use, and if by push you mean, login to the GitHub web ui, then sure.
nickcageinacage 2 days ago [-]
lmao welp. that is the path other apps are going so i wouldnt be surprised
riidom 2 days ago [-]
on phone: 2FA Manager from OpenStore on UBports phone
on work laptop: 1PW
stalfosknight 2 days ago [-]
iCloud Keychain
tacostakohashi 1 days ago [-]
KeepassXC
cyberclimb 2 days ago [-]
Checkout Ente Auth
mindwork 2 days ago [-]
I still use Authy tbh
bjourne 2 days ago [-]
Microsoft showing 2FA down everyone's throat is quite painful. I don't for a second believe they are only using my phone number for authentication. They are storing the data and they are correlating it with other apps they force 2FA on.
stephenr 2 days ago [-]
So don't give them your phone number.
Arguing against 2FA is like arguing that they shouldn't bash your password because it means you can't see your password to help remember it.
stephenr 19 hours ago [-]
s/bash/hash/
bjourne 17 hours ago [-]
Um, no? Arguing against 2fa is I don't want to cede even more PII with the American tech oligopoly which, no doubt, will share said PII with the American regime.
stephenr 16 hours ago [-]
What PII?
You store a TOTP secret on your <device>....
It's less PII than an ssh public key because it's literally just a random string, that *they* generated, and you only need it for the web UI.
So please tell me how the Americans are going to track and identify you through a fucking TOTP secret.
bjourne 16 hours ago [-]
My phone number dumbo.
stephenr 16 hours ago [-]
Why would you use a phone number for 2FA. It's like saying you only use md5 hashing for passwords.
Bitwarden Authenticator (local) https://bitwarden.com/products/authenticator/
Ente (encrypted cloud backup) https://ente.com/auth/
In a CLI, oath lets you calculate a TOTP.
But it's maybe a bit more insecure if you use the same machine.
[1] https://github.com/noproblemwiththat
All of the arguments against 2FA here could be made against requiring passwords longer than 8 characters.
It’s not secure. The fix is easy, effective, and has almost no downsides.
Lose what exactly? Decent 2FA setups make you confirm you've recorded a set of backup codes somewhere (they often recommend print and store in a safe, I find a secure note in a password manager works well) before activating it.
Furthermore plenty of TOTP applications offer secure backup and syncing features.
So again, what specifically do you think you're going to "lose"?
on work laptop: 1PW
Arguing against 2FA is like arguing that they shouldn't bash your password because it means you can't see your password to help remember it.
You store a TOTP secret on your <device>....
It's less PII than an ssh public key because it's literally just a random string, that *they* generated, and you only need it for the web UI.
So please tell me how the Americans are going to track and identify you through a fucking TOTP secret.