Add multiple Authenticator apps for signon

[J-Cake]

Select Topic Area

Question

Body

Hi folks, I'm a huge fan of 2FA apps and use then for everything. The issue is I'm lazy, and have a desktop program for this, so I can log into github from my PC without touching my phone. But it's not always accessible, and if I need to access GitHub when I'm away from my PC, I face difficulties. I'm wondering if there's a way to add multiple Authenticator apps to GitHub? I can add multiple 2FA methods, but not two of the same. I do understand the reasoning / technicalities behind it, having implemented something similar myself, but I would love the option to have multiple 2FA apps simultaneously. What might my options look like?

Best,
JCake

[CendioOssman]

Any response from GitHub on this? Now that 2FA is getting mandatory, flexibility and ease of use if even more important.

[Clemens85]

I am also quite disappointed... it is still not possible to add multilple authenticator apps (which is really useful if you have e.g. a second mobile phone).
You made MFA mandatory, then make it also more usable...

[joshuawalker]

When you're setting up (or reconfiguring) 2FA with an authenticator app, you can save the one-time password secret key to multiple authenticator apps (e.g. KeePassXC on your desktop and Microsoft Authenticator on your mobile device). Each app will generate the same TOTP code. You will need to save the secret key during setup: GitHub will not reveal your secret key again once you save your 2FA configuration.

[J-Cake]

This is a good suggestion, but to me this defeats the purpose of authenticator apps, in that the code is unique to the device. I mean true, this is a workaround, and happens to be exactly what I asked for, but true support for multiple Authenticator apps would be best.

[joshuawalker]

It is a specific design decision to be agnostic towards where and how the TOTP secret key is stored. Making these secret keys somehow "device-specific" would require a fundamental adjustment in how TOTP 2FA is generally understood to function, for a negligible security improvement. At that point, a user should consider using a passkey.

[john-peterson]

So there is one pass key and one authenticator totp setup key

Should I save the setup key so I can enter it in more apps for safety?

I can't see the pass key so I can't manually save it anywhere

[john-peterson]

I have to save this topic because I am totally confused I have never in my life used this before

Like being forced to eat with chop sticks at forty five

[J-Cake]

So there is one pass key and one authenticator totp setup key

Should I save the setup key so I can enter it in more apps for safety?

I can't see the pass key so I can't manually save it anywhere

So I actually took some time to investigate this. I'm using three different apps; Microsoft Authenticator, Samsung Wallet and KDE Keysmith. Turns out this is exactly everything you need. GitHub will generate a QR code containing seed (not sure what you call it, but I call it a seed) which Samsung Wallet and Authenticator both understand to generate the next code. Crucially, if you scan the same code into the various apps, they will always generate the same OTP. For Keysmith, I had to decode the QR code manually because I'd already dismissed the prompt. But you can't retrieve the seed once it's been saved or scanned. So you kinda have to set them all up at the same time. What I did was take a screenshot of the QR code so I can reuse it. But be careful with that as that QR code allows you to access the GH account.

[jpanagos]

Just configured 2FA on two separate computers, both using the same type of method (browser authenticator app -- https://authenticator.cc/). The process is as follows:

• Login using your current method.
• Under https://github.com/settings/security, click on Edit for your preferred method.
• This will generate a secret key, treat it like a password, and save it securely.
• Use this key to setup the authenticator on both devices.
• Click on the authenticator app icon, then the pencil icon, then the + sign, select Manual Entry, set GitHub as the issuer, then your secret key, and your username under the Advanced tab (I didn't change any other setting there).

You should be able to login without problems on both devices using the same type of 2FA method.

I cannot comment on other methods, but this worked for me and maybe it will help someone.

[cmette]

This is definitely not possible. I have tested it several times and tried it with various apps, FreeOTP, MicrosoftAuthenticstor etc. Only one end device can be registered. This is of course a big disadvantage!

[mak448a]

It works! I had to try a few times though. I probably accidentally copied the key the authenticator app generated 😅

[Ebola-Chan-bot]

This is definitely not possible. I have tested it several times and tried it with various apps, FreeOTP, MicrosoftAuthenticstor etc. Only one end device can be registered. This is of course a big disadvantage!

There is one key note that the author did not emphasize. At https://github.com/settings/security, you for a lifetime only click "Edit" only once and generate the key. Once generated, that key must be saved into an independent file and used for authentication on multiple devices. And then, for the rest of your life, never run into that fucking Edit again. Whenever if you accidentally touch this Edit, all your previous authentications will become garbage. You will then have to re-authenticate all your devices from scratch with that newly generated key.

[MarkoRamius]

"And then, for the rest of your life, never run into that fucking Edit again." This.

[huan]

Yo GitHub crew, can we talk about the whole “one-authorizer-app-at-a-time” setup? Like, why can’t we just add a new one without having to boot the old one out?

Tech-wise, it’s not rocket science. Take Heroku, for example—they let you roll with two or more authorizer apps no sweat. I used to rock Authy there, and just recently, I added Apple Password without breaking a sweat.

This would be clutch for so many scenarios, so let’s rally and get this on the radar, yeah? Would love to see it happen!

[GlitterHorn]

Adding my voice to the rest here - I just had to do manual account recovery after forgetting to set up another device before wiping my previous one, and went to set up two OTP apps so I don't have to go through recovery again. I'd rather be able to set up multiple OTP apps, than require GitHub to use human labor to do manual account validations...