GitHub MFA - hpaluch/hpaluch.github.io GitHub Wiki

GitHub MFA

Recently I "was chosen" to enforce MFA on GitHub.com to still have access to GitHub account. I decided to use "pass otp" CLI client for Linux to do so to avoid cluttering my phone with another bloat...

NOTE: I mostly used https://github.com/tadfisher/pass-otp However it was missing GPG part (how to make first public+private GPG key pair)

We have to install at least (tested on openSUSE LEAP 15.6)

sudo zypper in password-store pass-otp gpg2 zbar
  1. you need to Generate GPG key pair with command, you can also use https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key for details:
gpg --full-generate-key

Simply accept all cipher defaults, then enter your real name and e-mail (recommended because someday in future it may appear in various places).

Last but not least you will be required to enter password to your new keypair.

  1. you have to find you public GPG key ID (will be used by password manager). For example:
gpg --list-keys

--------------------------------
pub   ed25519 2024-11-03 [SC]
      6114868C5831C8B915391E4821595BB38131A74C
uid           [ultimate] Henryk Paluch (Cubi key) <my@email>
sub   cv25519 2024-11-03 [E]

In my case I will note 6114868C5831C8B915391E4821595BB38131A74C ID.

  1. Now we must init encrypted "wallet" for password manager with command:
pass init MY_PUBLIC_GPG_KEY_ID

  1. Only then you can login to GitHub, go to Account -> Settings -> Security, or shortly: https://github.com/settings/security

  2. Click on "Enable MFA"

  3. Now I used Firefox "Screenshot" feature (from right-click) demo to save QR code as PNG image (GitHub uses SVG which is not supported by some tools).

  4. Extract secret from QR code, I used command from tadfisher's guide:

zbarimg -q --raw Screenshot-TS-Configure-two-factor-authentication.png > secret.txt
  1. Only then you can create new OTP entry using:
pass otp insert github-mfa
# Enter 2 times content of secret.txt
  1. Now generate OTP (One Time Password):
pass otp github-mfa

You may be asked to enter Password for GPG key (or NOT if it was stored by default GPG managaer).

Above command will print 6 numbers - enter them on GitHub page.

  1. You will be prompted to download "Recovery codes" - download them and store in safe place.

  2. Click on "I downloaded codes" button - this will Activate MFA

Now strongly recommended:

  • do NOT logout (for case that something went wrong)
  • open another browser, possibly New Private Window
  • login to https://github.com/login
  • after entering Login and Password, you will be asked for OTP code (6 digits)
  • now run pass otp github-mfa to get these numbers
  • enter them - they should be automatically validated and you will be redirected to GitHub page.

Backup

Very important!

You need to backup:

  • GPG (TODO How)
    • public key
    • private key
    • password for private key
    • or simply: content in ~/.gnupg/
  • Password (pass) manager store, normally under ~/.password-store/
    • or just print secret uri with pass otp uri github-mfa and store it safely.

TODO: verify

Resources

Copyright © Henryk Paluch. All rights reserved.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

⚠️ **GitHub.com Fallback** ⚠️