GitHub now requiring 2FA for all contributors,what authenticator apps you using?

GitHub is rolling out mandatory 2FA for accounts that contribute code, with a 45-day window to enroll.

Aegis, Raivo, or Ente are the ones that have most promise from what I've read. Any other recommendations? or thoughts on those three in particular.

TY

Comments

uyzstvqsMar 26, 2026, 3:21 PM
Aegis (local) https://github.com/beemdevelopment/aegis

Bitwarden Authenticator (local) https://bitwarden.com/products/authenticator/

Ente (encrypted cloud backup) https://ente.com/auth/

jc-mythsMar 26, 2026, 4:27 PM
Google auth, first and the only 2FA authenticator I ever used.
aerzenMar 27, 2026, 6:45 AM
Because some auth provider recommended it as the only app to use. While it is a good app, it does backup into Drive.
grahammccainMar 27, 2026, 2:01 PM
I only use google and Microsoft, it might be a good idea for me to look into this deeper for the future.
jjgreenMar 26, 2026, 2:54 PM
That's been pending for a while, I'll just stop contributing code.
nextosMar 27, 2026, 1:53 AM
You don't need an app if you don't want one.

In a CLI, oath lets you calculate a TOTP.

But it's maybe a bit more insecure if you use the same machine.

codazodaMar 26, 2026, 11:45 PM
Why? You’re against 2FA? You couldn’t contribute without an account before, could you?
jjgreenMar 27, 2026, 9:39 AM
I'd had a GH account for ages under my own name, I closed that as soon as Microsoft took it over, moved all my repos to GitLab, good move. I opened a new GH account under a silly name [1] so I could collaborate with people still on it. Now I'm not really against 2FA, but don't use it myself, it adds friction, adds risk (what if you lose it), it seems too "theatrical" for my liking. You want to use 2FA? be my guest, live and let live etc. What I don't like is being told what to do with my account, particularly by someone like MicroSlop. I won't add 2FA to my GH account, so I'll not contribute any code to GH based projects, ho hum. As I understand it, I'll still be able to raise issues without 2FA, fine, and when 2FA becomes mandatory for that, I'll stop doing that too.

[1] https://github.com/noproblemwiththat

stephenrMar 27, 2026, 6:29 PM
> adds risk (what if you lose it)

Lose what exactly? Decent 2FA setups make you confirm you've recorded a set of backup codes somewhere (they often recommend print and store in a safe, I find a secure note in a password manager works well) before activating it.

Furthermore plenty of TOTP applications offer secure backup and syncing features.

So again, what specifically do you think you're going to "lose"?

thegoldenmanMar 27, 2026, 12:46 AM
https://apps.apple.com/au/app/2fa-authenticator-2fas/id12177...
codazodaMar 26, 2026, 11:46 PM
Authy but I’m considering moving to Apple Passwords so it’s all together.
ecesenaMar 27, 2026, 2:55 AM
Same. To add some details, I used Authy because at the time it was the only app that would just work after upgrading my iphone. I never enabled their cloud mode, so only local 2FA codes.
threecheeseMar 26, 2026, 4:22 PM
Using GitHub MFA via the app on my iPhone.
nickcageinacageMar 26, 2026, 4:41 PM
yea. I'm pretty sure they want separate authenticator app or browser extension
paulG12Mar 26, 2026, 4:44 PM
So now I need my damn phone to push something. Great. What's next, my national ID?
stephenrMar 27, 2026, 6:31 PM
If by need you mean, can choose to use, and if by push you mean, login to the GitHub web ui, then sure.
nickcageinacageMar 26, 2026, 5:04 PM
lmao welp. that is the path other apps are going so i wouldnt be surprised
pickle-wizardMar 26, 2026, 3:51 PM
I use a passkey that is in iCloud Keychain.
tacostakohashiMar 27, 2026, 1:12 PM
KeepassXC
riidomMar 26, 2026, 11:59 PM
on phone: 2FA Manager from OpenStore on UBports phone

on work laptop: 1PW

cyberclimbMar 26, 2026, 10:54 PM
Checkout Ente Auth
stalfosknightMar 26, 2026, 2:22 PM
iCloud Keychain
mindworkMar 26, 2026, 5:21 PM
I still use Authy tbh
bjourneMar 26, 2026, 6:16 PM
Microsoft showing 2FA down everyone's throat is quite painful. I don't for a second believe they are only using my phone number for authentication. They are storing the data and they are correlating it with other apps they force 2FA on.
stephenrMar 26, 2026, 6:54 PM
So don't give them your phone number.

Arguing against 2FA is like arguing that they shouldn't bash your password because it means you can't see your password to help remember it.

stephenrMar 27, 2026, 6:32 PM
s/bash/hash/
bjourneMar 27, 2026, 8:35 PM
Um, no? Arguing against 2fa is I don't want to cede even more PII with the American tech oligopoly which, no doubt, will share said PII with the American regime.
stephenrMar 27, 2026, 9:42 PM
What PII?

You store a TOTP secret on your <device>....

It's less PII than an ssh public key because it's literally just a random string, that *they* generated, and you only need it for the web UI.

So please tell me how the Americans are going to track and identify you through a fucking TOTP secret.

bjourneMar 27, 2026, 9:54 PM
My phone number dumbo.
stephenrMar 27, 2026, 10:00 PM
Why would you use a phone number for 2FA. It's like saying you only use md5 hashing for passwords.
nashashmiMar 26, 2026, 5:34 PM
Totp.app