[lostindetails]

Using passkeys as an additional login method I can understand, but I have a problem that I don't know how to solve:

How can I guard against losing permanent access to my github account?

Until know I have memorized a very long and random password, that I sometimes type in to keep it in memory. In case of a fire or some similar event in which I would lose my stuff (like devices recovery codes) I'd have no issue, but with the upcoming requirement on github which enforces 2-factor authentication I don't know how I would be able to get access to my account?

[tgsovlerkhgsel]

Given GitHubs policy of "no account recovery if you lose 2FA, ever, if you screw up you lose that account forever", lockout seems a bigger threat than takeover. Luckily, Github lets you add SMS 2FA. That isn't secure, but at least you should be able to get access to your phone number in case of a disaster.

A TOTP seed backed up (on paper only) in multiple locations is also a good fallback.

[lostindetails]

I agree - at least for me, the lockout scenario seems more likely.

The SMS 2FA is great point! Until now I was able to not hand out my number to bigtech, eg. for Chatgpt I bought an new SIM card with a 5 EUR deposit that I just used for the registration process, but those cards expire after a couple of months if you don't use them. Guess I have to give out cellphone number after all...

Printing out the TOTP seed and hiding the paper in multiple locations sounds somewhat wrong to me. Maybe the TOTP seed will be my new, even longer password to remember j/k

Hmm, but if you would cryptographically hide it in publicly available data, it would be easy to recover.

Thanks for the input!

[tgsovlerkhgsel]

Why would hiding the TOTP seed in multiple locations be wrong?

It's meant to be a second factor, mostly there to prevent unsophisticated, remote/electronic attacks that affect millions of accounts.

Writing it down does not affect its ability to do that.

[lostindetails]

It reminds me of post it stickers on the monitor. Well, to be fair more like post-it stickers in a hopefully locked desk drawer.

Agreed, it will prevent any remote attacks.

[klooney]

You can set up multiple 2FA- I have two yubikeys and a TOTP key registered.

[neonnomad]

1password can store passkeys for you and sync between multiple devices. Then I add a Yubikey Bio to add of these accounts as a backup.

[lostindetails]

Thank you for the answer! I don't want to use a cloud service for sync, I will take a look if an opensource solution has a direct device to device sync, I haven't thought about that. I will also checkout the yubikey bio - I guess as it's hardware so no pesky account cloud connected? Thanks for the ideas!