GitHub is forcing everyone to undergo a pointless 2FA exercise by enabling 2FA on all accounts soon ("by the end of 2023"); one of the steps is generating 2FA recovery codes. How do you store these recovery codes? How many people simply send these to themselves via email? What's the point of forcing people to do this if this ends up being the same as regular email-based 2FA? Just another security theater? #GitHub #2FA #RecoveryCodes #Recovery #Codes #security #obscurity #SecurityTheater #tech
You can store them in your password manager?
But why would you? And even if you do, how's it different when your regular password is already not stored outside of the password manager, either? I.e., now both your regular password and the recovery codes are stored in the exactly the same place! Great job, everyone!
If your GitHub account gets compromised they may change your password and you’ll lose access. The recovery codes help you with that. If you lose your password manager, yes you are screwed.
very clumsy the way you express it, but yes this is just an exercise in shifting liability. there’s almost no actual security going on here
Ask a real developer to help you, if you can’t securely manage recovery keys.
Real developers don't waste time with 2FA.
^okta employees crying