[comstock]

To use 2fa on github you need a mobile phone.

Do you give every enployee a mobile phone, or do you ask your employees to use their own personal phones?

Asking them to use their personal phones seems like a very bad solution. Many software companies do not routinely give developers mobile phones...

[rgrove]

> To use 2fa on github you need a mobile phone.

This is incorrect.

You only need the ability to generate TOTP or U2F tokens. This is often done using a smartphone app, but can also be done by a desktop app like 1Password or a hardware device like a Yubikey: https://github.com/blog/2071-github-supports-universal-2nd-f...

[thaumasiotes]

You can also record the TOTP secret in your automated login script, next to your password, and generate the token on the fly right there.

It's things like that that make me wonder why TOTP tokens are supposed to be conceptually different from passwords. A TOTP scheme involves knowing a master password, and nothing else.

[Xylakant]

Recording a TOTP secret next to your password would make 2FA worthless, true. That’s why you should use hardware generators whenever possible. However, Github supports Fido/u2f which is conceptually superior to TOTP: The authentication secret is bound to the domain and the token generator verifies this. So even a software u2f implementation protects against phishing for example, while TOTP does not.

[bringtheaction]

Do you know of any open source software implementations of u2f.

[Xylakant]

Firefox includes one IIRC and there’s githubs SoftU2F for Mac https://github.com/github/SoftU2F

[Spivak]

> use their personal phones seems like a very bad solution

Why? You're not any less secure by using a personal phone. What are the odds that an employee is going to be phished and have their phone compromised by the same entity.

[tehlike]

IANAL, but here is my thinking: The problem with personal phones is they are hard to audit. When a phone belongs to the corp, corp owns the phone, and "probably" can audit it as it wished.

[ddalex]

In order to install my work Gmail account on my phone, I had to install a program on my personal phone that let admins wipe it remotely. This is not something that bothers me, because I expect to lose the phone almost anytime, so the contents on it are backed up continously on a system I control.

[lovich]

Whereas that bothered me so much I refused to put email on my phone and told my employer they needed to provide me with a phone if they wanted me to always be on email.

I'm already answering emails out of office hours which is for my employers benefit and they want to functionaly own my phone because of it?

[HaoZeke]

Pretty high actually.. I mean it's a lot of money at stake.

[tedivm]

It's actually getting more common to give out phones, at least in companies that really care about security.

For companies that don't do that Github also offers the option of FIDO U2F compatible keys.

[tonfa]

It works with u2f as well.