Hm, does Github not have a way to enforce key-based 2FA across your organization? Seems that users can even set up an SMS backup, which I would love to block.
Conversation
Replying to
Does it even have a way to use security keys without TOTP 2FA enabled? I don't think that's supported.
Google is one of the only services where you even have that option, let alone an equivalent to the Advanced Protection Program.
At least Twitter supports it now... but generally not more important things.
Replying to
It appears to be the case that I can't actually disable TOTP 2FA because it's enforced org-wide.
1
Replying to
I think they have security keys set up as only being a supplementary option. I don't understand why but that's how most sites implemented it. Until recently, Twitter was the same way.
Google, Twitter, OVH and AWS are the only services where I've been enable to force using keys.
1
Show replies