2FA make me like a people with disabilities

[mobile-sergey]

Select Topic Area

Product Feedback

Body

You wrote:

In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in GitHub Community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
https://github.com/community/community/blob/main/CODE_OF_CONDUCT.md

But 2FA broke this rulels:

1) You mandatory 2FA is harassment for me (and some people - you can find they in discussions by searching '2FA')
My mobile devices is my own life. But 3 methods from 5 (SMS, Authefication App, GitHub App) needs my own mobile phone. And 4th method is physical key - is it sexual harassment? Only one method "passkey" is ok. But we need 2 methods for 2FA!

2) I must have bigger "level of experience" after Microsoft buy GitHub:
2 years ago I can use GitHub from terminal with login and password - it's easy and comfortable.
1 year ago Microsoft closed the ability to use login and password - only SSH and GitHub tokens - only hardcore.
Now Microsoft add mandatory 2FA - we need know how works: passkeys, authentificator app, security keys, recovery codes - impossible

3) 2FA is not open and welcoming environment for ethnicity identity and nationality
I want to use SMS for verification method, but country of my ethnicity identity and nationality is not in list to use SMS in 2FA (https://docs.github.com/ru/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported#supported-countries-for-sms-authentication). If you want to be open and welcoming you can use something like https://messaggio.com/ - and add methods to send by messagers (Viber, WhatsApp, Telegram)

Ok, I turn on 2FA and add authentification by passkeys and desktop authentificator app on my working computer. But I can use GitHub when I go to study when we can use one from 777 computers and can't install any apps. Now with 2FA I am like people with disabilities - sometimes I can't use GitHub.

Can you make 2FA optional or add other methods to authentification (like send code by messagers or use login and password)?

[ghostinhershell]

Hi there @mobile-sergey,

Thanks so much for reaching out about this topic. Our Accessibility team did release an official statement regarding 2FA for users who rely on assistive technology and users with accessibility requirements. You can find that statement in our Two Factor Authentication Frequently Asked Questions 🔑 🗝️ post. I'll also copy the message here:

GitHub provides numerous options for two-factor authentication (2FA), and these provide a wide range of flexibility for users with disabilities.

GitHub strongly recommends the use of time-based one-time password (TOTP) applications. There are a variety of TOTP applications for desktop and mobile devices. Users can do their own research to find a TOTP application that best meets their accessibility needs. To get started, search for “TOTP app” in your browser. You can also refine your search by adding keywords like “free” or “open source” to match your preferences.

If you have a mobile phone and live in a region where we support SMS messages, getting set up with SMS does not require any additional apps, and you can rely on the assistive technology you already have on your mobile device.

If efficiency is important to you, consider using passkeys to sign in after you’ve configured 2FA. Passkeys allow you to sign-in with very few steps as they meet both password and 2FA requirements. Using passkeys in conjunction with your preferred password manager enables a fast and efficient experience across all your devices.

Questions and feedback about the accessibility of a third-party application should be directed to the application provider. If you have feedback about the accessibility of GitHub products, please connect with our community using the accessibility community discussions page.

I recommend taking a look at that post because it touches on a few of the concerns that you have shared in this post.

[cehfisher]

Hello @mobile-sergey - I wanted to follow up on this issue. Did the comment by @ghostinhershell resolve this issue for you or is there more information we can provide to help you resolve this issue? (cc @queenofcorgis)

[mobile-sergey]

I use TOTP apps (KeePassXC) on two computers (on work and at home) it fix some of my problems with GitHub.
But I can't use GitHub in School 21 (it's Russian version of French programming school: Encole 42) because to work with GitHub there I need to install TOTP on 777 computers - it's impossible.

That is why my points:

1. You mandatory 2FA is harassment for me
   Partially fixed (I use "Passekey" + "TOTP on Desktop"). Why Microsoft as second method don't get login/password or code on email?
2. I must have bigger "level of experience" after Microsoft buy GitHub
   It's true. Now I use tokens, ssh, TOAP and I can't use GitHub from terminal or from my phone (I don't want to use TOTP on phone).
3. 2FA is not open and welcoming environment for ethnicity identity and nationality
   It's true. Russian Federation and Ukraine not in list:
   https://docs.github.com/ru/authentication/securing-your-account-with-two-factor-authentication-2fa/countries-where-sms-authentication-is-supported#supported-countries-for-sms-authentication

Unfortunately I haven't time to fight against 2FA and Microsoft.
I thinking about delete all 100+ my repositories from GitHub and move it to GitLab or other service.
But now I haven't time to this.

[cehfisher]

Thank you for taking the time to elaborate on your issue. We will file this with our Accessibility team so that it can be reviewed and will follow-up here with any additional questions or updates. Thanks again!