GitHub Community
2FA Token is unsafe #75936
-
|
I am using FreeOTP for two factor authentication. I tried to set it up with github and got the following message: Should I just ignore this message an 'add anyway' ? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 3 replies
This comment was marked as off-topic.
This comment was marked as off-topic.
-
|
@giorgileladze When I setup 2FA for pypi.org using FreeOTP, I scanned in the code provided by pypi.org and did not get a warning. When I did the same for github using FreeOTP, I got the warning, so I think that github is not providing secure tokens ? |
Beta Was this translation helpful? Give feedback.
-
|
This was noticed on 2023-2-10; see Is there a proper place to report this so that it gets fixed ? |
Beta Was this translation helpful? Give feedback.
-
|
I posted a github ticket number 2441700 and they had the following reply: " GitHub believes an 80-bit key to still be sufficient for account security, and at this time we have no plans to change this, and recommend ignoring this message if you elect to use FreeOTP for 2FA. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @bradbell for sharing the response for others. |
Beta Was this translation helpful? Give feedback.
-
|
thanks for sharing, had the same issue and will ignore it for now |
Beta Was this translation helpful? Give feedback.
-
|
What if I still feel unsure about whether adding shorter TOTP secret really improves my account security in 2024? Would it be better to provide a way to manually select better secret? This will also create a base for future rolling token upgrades. |
Beta Was this translation helpful? Give feedback.
-
|
GitHub now enforces 2FA and while activating it, the Software warns about unsecurity of that process? I would prefer stronger security to compatibility with old versions. If you could enforce 2FA, you could send notifications to inform about a necessary update. Or it feels like a security soap opera. If they prefer a weak security on the visible points, you don't want to take a look behind the scenes. |
Beta Was this translation helpful? Give feedback.
I posted a github ticket number 2441700 and they had the following reply:
"
The error message you've encountered is due to GitHub's use of an 80-bit TOTP secret which is used to ensure compatibility with older versions of Google Authenticator. FreeOTP warns about the usage of any secret that is shorter than 128-bits and is why you've encountered that error.
GitHub believes an 80-bit key to still be sufficient for account security, and at this time we have no plans to change this, and recommend ignoring this message if you elect to use FreeOTP for 2FA.
"