undefined | Better HN

0 pointsabetusk4y ago0 comments

Can you provide some more context? In theory TOTP doesn't need a mobile phone (I guess) but in practice this is about whether GitHub, or anyone else, provides non-mobile 2FA options, either as an app running on the phone or by receiving a text message, say.

See https://docs.github.com/en/authentication/securing-your-acco... . I've only skimmed but I don't see anything in that list that doesn't require a mobile phone in one form or another.

0 comments

6 comments · 4 top-level

vel0city4y ago· 2 in thread

You should try reading it instead of just skimming it. Their steps for using TOTP (the first list of steps!) do not say anything about putting in a mobile phone or list any requirements about adding a mobile phone.

Then at the bottom for using a security key, it says "You must have already configured 2FA via a TOTP mobile app or via SMS". A TOTP app does not give out your phone number, does not rely on network connectivity, and does not require you use a mobile phone to use.

So 2/3 of the options absolutely do not require you give Google your phone number.

abetuskOP4y ago

The answer is that many of the applications listed under "mobile apps" have a desktop version that one can use. I did only skim but doing a little more link diving on the prompting of other siblings comments in this thread shows that most of those programs have desktop versions.

Your comment would leave the reader confused, including myself had I not dug deeper into each of those links, because you don't address the fundamental issue. The GitHub page says "mobile app" even though many of the applications can be installed on desktop.

The line "You must have already configured 2FA via a TOTP mobile app or via SMS" further confuses the issue because this implies anyone wanting to use 2FA would need a mobile phone, which was precisely my point. A TOTP that doesn't give out your phone number, but still requires a mobile phone to use, technically doesn't need a working phone to use but practically does require a phone, so it's a kind of pedantic point you're making.

Phones are a huge attack surface, if not from scammers then from applications, businesses or governments wanting to use it to monitor usage.

vel0city4y ago

> implies anyone wanting to use 2FA would need a mobile phone

I will acknowledge they probably shouldn't use the terminology "mobile app", but the most common way for people to use TOTP is with a mobile app which does TOTP. FWIW, there are many ways you can run a "mobile app" without using your primary phone, tablets also run "mobile apps" and there are tools to run such apps on your computer locally. This doesn't in any way give the service any kind of connectivity or access or tracking of your phone, and TOTP does not use any kind of network connectivity to operate.

I'll agree the above is a pedantic point to be making, and I agree their documentation could be better worded, and I can understand there being a bit of confusion. However whether or not you need to use a mobile phone, if the solution is TOTP a la Google Authenticator/Microsoft Authenticator/LastPass/Authy/1Password (RFC 6238), the answer is always no. RFC 6238 does not require phone numbers, it does not require network access, its purely hashes on the current time and an initial shared secret.

https://www.rfc-editor.org/rfc/rfc6238

SahAssar4y ago

I use TOTP on my desktop via a hardware key. There are many ways to do 2fa without phones as long as the provider does not consider 2fa to equal sms.

abraham4y ago

#1 says TOTP mobile app but any desktop app would work.

akerl_4y ago

1Password is in that list.

j / k navigate · click thread line to collapse