[mdb31]

Yet, if you go into the "enable 2FA" settings on Github, you only get the option to enable insecure TOTP or SMS.

Apparently, once you do that, you might be able to add proper authentication. But no word on whether that then replaces the obsolete methods you were forced to configure earlier.

But, yes, right on track to enforce 2FA in 2023, I see...

[Nzen]

Github requires [0] the first 2FA mechanism to be totp or sms. Thereafter, you can add a webauthn compatible hardware key.

[0] https://docs.github.com/en/authentication/securing-your-acco...

[roblabla]

Why though? That makes absolutely no sense.

[procombo]

Just technically it makes no sense. WebAuthn is a great technology that addresses many privacy concerns, but once they had an excuse collecting phone numbers they don't want to stop. Even though it's not the most secure method. Google, and many others are the same way.

2FA is often used as an excuse to obtain more PII from people, and to verify your identity, as a whole. Most businesses want to match logins to individuals, not roles. And that's what 2FA provides them.

[deadbunny]

How do they get my phone number from TOTP?

[pc86]

Since when is TOTP obsolete?

[mdb31]

> Since when is TOTP obsolete?

Since about the moment that teams all over the world discovered they could just paste the enrollment QR code (a.k.a. private key) into their wikis, and thereby continue unlimited sharing of their role accounts?

So, I guess 30 seconds after its introduction?