(no title)

Authenticator apps, and SMS help them derive you have identity -- which is more secure for them and you. Hardware token via WebAuthn (etc) is only more secure for you.

When they say "for the sake of security" they mean for them too.

There's a reason they want you to verify using one of the first two methods first.

Yet, if you go into the "enable 2FA" settings on Github, you only get the option to enable insecure TOTP or SMS.

Apparently, once you do that, you might be able to add proper authentication. But no word on whether that then replaces the obsolete methods you were forced to configure earlier.

But, yes, right on track to enforce 2FA in 2023, I see...

Oh, that's lovely UX... "After you configure 2FA, using a time-based one-time password (TOTP) mobile app, or via text message, you can add a security key"

So, after you enable a broken-by-design 1.5FA method, which you don't want, and which will further expose you to account takeovers, you can, possibly configure actual security.

No wonder these guys are raking in the big bucks...

The TOTP "private key" can be easily cloned. Targeted malware, a database compromise at your app provider that you "securely" sync your settings to, or just a few minutes access to your "authentication" device, will do the trick.