[miohtama]

Also if you really really hate two-factor authentication, e.g. due to psychological change resistance, there are multiple good alternatives like Bitbucket or Gitlab. Nobody is forcing you to use Github, and usually people do not even pay for it.

[bachmeier]

> Also if you really really hate two-factor authentication, e.g. due to psychological change resistance

Nearly all resistance to 2FA is because of fear of losing access to the 2FA device. I believe it's a well-earned resistance, because they've done a terrible job of explaining that there are alternatives in that case, such as special codes that you can write down and put in a safe.

[TillE]

GitHub prompts you to save backup codes when you set up 2FA, and every so often when you log in. I don't think that's a terrible job, it's pretty much the standard.

They also nudge you to set up multiple 2FA methods. I have the app, a passkey, etc.

[ebichu63]

I don't bother much with the special back-up codes (although I do store them just in case). I just make sure I have the TOTP plaintext shared secrets stored on multiple devices.

[nathanaldensr]

One of the reasons I use Microsoft Authenticator instead of others is it allows me to back up the configuration to the Microsoft cloud. I've already followed the restore process several times over the course of replacing phones and it works well.

[miohtama]

Authy backups work as well, have been using half a decade now.

[elliotwu]

Problem with Authy is you can't export your seeds externally, which sets you up for failure if Authy decides to turn into the next Raivo.

There is an unofficial method by using devtools on the desktop app, but it's been EOL for months and it may soon stop working completely.

[danaris]

If you're interested in contributing to projects that are hosted on GitHub, but aren't in a position to be making decisions about whether to migrate them, then yeah, you're forced to use GitHub.

[eesmith]

I've given up on using GitHub. Nothing else I use requires 2FA, I don't have a smart phone, and figuring out an alternative just to post bug reports is a waste of my time, so I've taken to emailing the developers instead.

[JasserInicide]

The complete lack of consistency in MFA requirements just show no one knows what the fuck they're doing.

DoorDash: Every time I need to enter an SMS code.

UberEats: Same thing, SMS code every time.

Grubhub: No MFA ever. Wonderful.

Twitch: Every couple days I need to enter a code sent to my email (because I won't give them my phone number which they really really want me to give them).

Reddit: no MFA requirement...for now. Given how fucking garbage they've become I wouldn't be surprised if they start enforcing it soon.

Amazon: no MFA requirement despite sometimes asking.

GMail: no MFA requirement despite also asking.

[latexr]

> I don't have a smart phone

GitHub’s 2FA gives you the option to use SMS. But even for the authenticator method you don’t need a phone, most decent password managers nowadays support saving (and auto-filling) 2FA tokens.

There’s also the option to print/write down the one-time codes. Though the latter would admittedly be a bother if you log out frequently.

Point being there’re many ways to go about it.

[eesmith]

Sure, but I don't like any of those options. I don't want Microsoft to have my phone number, I have like 15-20 logins, which is small enough to keep on paper [1], so I have no password manager, and I always logged out of GitHub since I generally log in to things via a private window.

I really, really don't like being tracked, "filed, stamped, indexed, briefed, debriefed, or numbered", so avoid accounts as much as possible, and all the more so from megacorporations.

[1] Correction: I originally said 10-15 but I remembered a few that are in the Firefox password manager, like archive.org.