Hm, does Github not have a way to enforce key-based 2FA across your organization? Seems that users can even set up an SMS backup, which I would love to block.
Conversation
Replying to
Does it even have a way to use security keys without TOTP 2FA enabled? I don't think that's supported.
Google is one of the only services where you even have that option, let alone an equivalent to the Advanced Protection Program.
2
Replying to
It appears to be the case that I can't actually disable TOTP 2FA because it's enforced org-wide.
1
Replying to
I think they have security keys set up as only being a supplementary option. I don't understand why but that's how most sites implemented it. Until recently, Twitter was the same way.
Google, Twitter, OVH and AWS are the only services where I've been enable to force using keys.
1
AWS is very strange because you need to be logged into your Amazon account first, which supports TOTP but still not security keys last time I checked. So you need to log into that with password + TOTP and then log into AWS with the security key set up for it. It's very weird.
Google + AWS are the only ones where you can force using keys for an organization among the services that I use. I'm sure there are some more but it's not common to even allow using only security keys personally let alone forcing everyone in an organization to have it that way.
2
1
Replying to
Yeah I mean we SSO everything so its not a huge deal but, wherever possible, I prefer keys. We give them to everyone for a reason. But at least gsuite lets us enforce.