[tgsovlerkhgsel]

Given GitHubs policy of "no account recovery if you lose 2FA, ever, if you screw up you lose that account forever", lockout seems a bigger threat than takeover. Luckily, Github lets you add SMS 2FA. That isn't secure, but at least you should be able to get access to your phone number in case of a disaster.

A TOTP seed backed up (on paper only) in multiple locations is also a good fallback.

[lostindetails]

I agree - at least for me, the lockout scenario seems more likely.

The SMS 2FA is great point! Until now I was able to not hand out my number to bigtech, eg. for Chatgpt I bought an new SIM card with a 5 EUR deposit that I just used for the registration process, but those cards expire after a couple of months if you don't use them. Guess I have to give out cellphone number after all...

Printing out the TOTP seed and hiding the paper in multiple locations sounds somewhat wrong to me. Maybe the TOTP seed will be my new, even longer password to remember j/k

Hmm, but if you would cryptographically hide it in publicly available data, it would be easy to recover.

Thanks for the input!

[tgsovlerkhgsel]

Why would hiding the TOTP seed in multiple locations be wrong?

It's meant to be a second factor, mostly there to prevent unsophisticated, remote/electronic attacks that affect millions of accounts.

Writing it down does not affect its ability to do that.

[lostindetails]

It reminds me of post it stickers on the monitor. Well, to be fair more like post-it stickers in a hopefully locked desk drawer.

Agreed, it will prevent any remote attacks.

[klooney]

You can set up multiple 2FA- I have two yubikeys and a TOTP key registered.