[thaumasiotes]

You can also record the TOTP secret in your automated login script, next to your password, and generate the token on the fly right there.

It's things like that that make me wonder why TOTP tokens are supposed to be conceptually different from passwords. A TOTP scheme involves knowing a master password, and nothing else.

[Xylakant]

Recording a TOTP secret next to your password would make 2FA worthless, true. That’s why you should use hardware generators whenever possible. However, Github supports Fido/u2f which is conceptually superior to TOTP: The authentication secret is bound to the domain and the token generator verifies this. So even a software u2f implementation protects against phishing for example, while TOTP does not.

[bringtheaction]

Do you know of any open source software implementations of u2f.

[Xylakant]

Firefox includes one IIRC and there’s githubs SoftU2F for Mac https://github.com/github/SoftU2F