2FA Is No Good
1 day ago
2FA is no good; it does not improve security much.
GitHub requires it (although it is unclear if it is required for API access; I almost entirely use the API access anyways), but that doesn't help. Also, the method of setting it up does not even work (it just gets stuck in a loop) (and other people are complaining about this too, so it is not only me).
Some people say it may make it less secure, which is possible (since you will need to add other things to handle it, including recovery codes).
Some people say it allows Microsoft to spy on you, but TOTP doesn't allow anyone to spy on anyone. Some say it requires a mobile phone, but TOTP does not require that either.
What would actually help security on GitHub (or other git hosting services) are two things: X.509 client certificates and signed releases (both should probably be used together). Neither requires JavaScripts, and neither makes it possible to steal your credentials. This also has other advantages, e.g. single-sign-on.
For desktop-only people like me the better option is to have a static IP address and have websites only allow authentication from that IP. I do this with several financial institutions. Most sites will hide this option to front-line customer support so it often requires opening a ticket. Bots can bang-away, bang-away, bang-away.
Another option is to disable internet access all together for accounts associated with brick-and-mortar businesses. I have done this with a few institutions as well that did not have options for a static IP requirement. These businesses know my face. I also joke with them that if someone pretends to be me they should call the Sheriff for a good show they will do it and it will be on camera.
I am biased against cell phones so I can't really add anything there. Having built out a cellular network in two states and testing hundreds of prototypes prior to smart phones and seeing how tightly integrated these companies are with governments and how proprietary the firmware and hardware is I just can not trust them. Perhaps my opinion will change in a few hundred years or so. If people trust their phones then an open source VPN that routes their traffic through their home static IP address would be an option.
I do not have a static IP address; it is dynamic but does not change very often. Also, that does not improve the security that much especially if the IP address is later reused for something else (or if you later need to do something which involves changing the IP address, in which case it cannot be accessed at all).
I do not have a cell phone either and I do not want one.