I had to set up a "2FA" (Two Factor Authentication) or "TOTP" (Timedbased One-Time Password) tool for my github account. I use github on my LINUX 6.8.0-85 / Ubuntu 24.04.3 desktop computer from my web-browser and from my Eclipse IDE. Github now forces their users to use 2FA, with a delay of 45 days. They do not recommend any tool, so I had to search for a LINUX app that provides 2FA (TOTP).
First I installed gnome-authenticator 3.32.2, but this did not work. It could not scan the github QR-code and it gave me no way to manually enter the "setup key" that github offers as alternative for scanning. Error message was "AccessDenied ... SelectArea is not allowed" (I love these messages without fix hint:-). I searched for solutions and found I had to install gstreamer1.0-gtk4, but this did not work, I found no PPA repository for it, moreover I had an installed version gstreamer1.0-gtk3. As it is useless, I removed gnome-authenticator from my system again.
Next I found an
"askubuntu" page that recommeded KeePassXC,
and this installation worked fine via commandline "sudo apt install keepassxc".
The graphical user-interface can be launched afterwards via "keepassxc".
Here are some screenshots of what I did then in that tool. I must say that I am completely new to 2FA and do not know at all how this works and what you have to do for it. I just followed the instructions of the "askubuntu" page:
- Create a new KeePassXC database - the GUI tool prompts you for parameters and does this for you, no problem
- Create a new "Entry" with username and password, here I used my github username and password, it did not require any password standards, or maybe my password was good enough
- Select the "Entry" and go to menu "Entries" - "TOTP" - "Set up TOTP", here I entered the "setup key" from github
- In the context-menu of the selected "Entry" I chose "TOTP" - "Copy TOTP" and entered the result on the github page
- github then labeled my 2FA authentication as "Configured"
Here are the screenshots of most things I have done:
Here I already created my user "Entry". The screenshot shows the context menu that leads to "New Entry".
Here is the UI where you create the "New Entry". You need to enter your username and password for that. I also entered the URL of my github project.
This is how the app looks when the "Entry" is created.
The menu to set up TOTP. Don't forget to select your "Entry" first.
Here I entered the "setup key" from github as "Secret Key".
Here is the context menu on the selected "Entry" to copy a generated TOTP.
This is how my github account "Password and authentication" page looked after I entered the generated TOTP in the github input field.
One more evening gone for LINUX! But I don't give up trusting in open-source software, it's simply the better concept.
UPDATE: Today I logged out from github to explore how to log in via 2FA with keepassxc.
- After confirming the dialog that I really want to log out, I clicked "Log in" on the github main page
- Until now I used a generated password sequence for accessing github; in the github login dialog, I entered my username and that generated long password, but this didn't work, the password was reported to be invalid
- So I tried the password I entered yesterday on my keepassxc application, and this worked (I can't say if keepassxc submitted that password to github or if that was my initial old github password, because I used the same for both)
- After receiving the correct password, github asked me to "Enter the code from your two-factor authentication app ... below"
- I launched keepassxc, selected my "Entry", used the context menu on it und chose "TOTP" - "Copy TOTP" (see screenshot above)
- I guess the app copied the code to the system-clipboard, so that I could paste it into
the input field ("XXXXXX") on the github page in my browser
- I didn't even have to press ENTER or click the green "Verify" button, immediately my github account page opened.
So for performing 2FA with github, you always need your 2FA app open to copy a generated TOTP from it. For starting the 2FA app, you always have to enter your password in it. Thus 2FA authentication takes more time than a simple log-in with username and password, and it requires the presence of always the same 2FA app on your device. If you lose your device, you lose access to your github account, which only can be restored using the recovery codes that github provided you while setting up 2FA for your account. If you missed that, or stored the recovery codes on your now damaged device, the github support will not be able to give you back your account! That is why they recommend to store recovery codes in some Internet cloud.
I now tried to push some source-code changes in my Eclipse, and it worked. I had configured Eclipse to also use the github-generated long password sequence, so I wonder if that will break in 45 days, because obviously that sequence became invalid.