BTW: since KeePassXC can also store your TOTP (2FA) parameters and
generate the tokens this can also be used to store the TOTP
parameters in an encrypted database. But, of course, take care to
not store both factors (password and 2FA parameters) in the same
database that's unlocked with one password. Paranoia is greeting ;-)
OK, I'm almost there. The thing is that the GitHub docs are not very clear on the consequences of 2FA
in terms of how everything fits together. If I understand correctly, GitHub want to secure accounts by
enforcing 2FA. This creates a personal access token (PAT) which is basically "the secret" which is used
to configure whichever authenticator app, and to generate recovery codes. You need to store the PAT
and recovery codes securely. Authy, 1Password, etc. store this info in a proprietary format in the cloud,
i.e. on their servers, so you are locked in to them, and can't work off-line (and you might have to pay).
Other apps, such as Aegis Authenticator, are open source and flexible, but you have to store securely.
KeePassXC allows you to store your username/password pairs for each site, plus data such as the PAT,
and also stores attachments, such as your recovery codes. You have to store the database securely.
If you want to push to GitHub using HTTPS you have to enable 2FA (which means login via token)
and pushing using the PAT instead of your password.
If you want to push to GitHub using SSH you don't have to enable 2FA to login to the site, so you
don't need the PAT, but you do need to generate and save SSH keys.
My big fear is that I screw up the configuration of one or more of these parts somewhere along the way
and I get locked out, but I'm leaning towards setting everything up this weekend to use 2FA on GitHub,
but leaving my mobile phone as the fallback authentication number if all else fails. I shall store the PAT
as a Note to the entry in KeePassXC, the recovery codes as an attachment, and shall store the database
file elsewhere too.
I shall then use the PAT as the secret for Aegis Authenticator on my Android Phone as a backup system
because I think I shall be forced to use a PAT with HTTPS access to the enterprise GitLab at work and I
have less flexibility about what I can install on the corporate machine :-(
The one thing that isn't clear to me is, if I enable the KeePassXC browser extension, does it wipe, or
block access to other username/passwords that I might have already saved in the browser?
Do I have to open the preferences, or Mac keychain, and copy then out manually just to be safe?
Basically, I don't think I'll use the browser-plugin because nobody talks about this!
Why is it so complicated? Or is it that I'm just a 60-year-old bear with little brain who is over-thinking it ? :-)
D.
