I'm thinking of a high-profile example when an attacker tried to take over h3h3's YouTube account by requesting his SIM card from T-mobile by pretending to be a T-mobile employee: https://youtu.be/caVEiitI2vg
So now I'm at an impasse. How do I get the code? Well, Github has a backup -- it will SMS the code to your phone! When it said this I just kind of chuckled to myself as I also had seen the h3h3 video. Sure enough, it texted me the GA code and I got back in control of my account.
Github actually provides a list of emergency codes that you can print out and use as a last resort. I had printed these before and actually had them available, but forgot about that process.
Github is trying so hard to have your account secure, but yet the SIM card cloning threat is still there.
I just don't use an authenticator app at all. Some password managers (e.g. 1Password) have support for storing TOTP. So, as long as I can access my 1Password vault (use a strong password!), I can access my TOTP codes.
Besides that, I prefer U2F, which is supported by GitHub.
Oh that's a great idea! Never thought of that, thanks for sharing.
Protip: Don't allow your TFA app/hardware to be a single point of failure. Don't upgrade your reserve TFA device/apps until you're 100% sure the upgrade on your primary TFA device/app has worked smoothly.
Anyway, I have one time codes for all accounts I use 2FA with. Google generates these one time codes as TOTP substitutes, LastPass generates them as a one time master password that's TOTP exempt. Amazon you have to send an email and they'll call to verify and then unset 2FA on the account.
(It's a little telling that none of the downvoters attempted to refute any of the facts…)
It's important to separate out two separate things that we've seen happening - and the media has done a bad job distinguishing these two things - 2FA and account recovery.
If you use SMS 2FA, then to gain access to your account someone needs your password and to hijack your phone number. That's harder than just having your password, but perhaps not much harder if you are a prominent target. The advice I would give to popular youtubers and streamers would be to have very strong passwords using a password manager, and use a TOTP app for 2FA.
What most of the news stories have been about, however, is not 2FA but account recovery. If an attacker can gain access to your account using _only_ your SMS number then you do not have 2FA: It's 1 factor authentication! A lot of websites do a bad job of explaining why they are asking for your phone number - there are competing aims here, to both add security but also ensure you can still gain access to your account - but if you are a high profile target you should take care of the latter (access) yourself, and _not_ enable a backup phone number for account recovery purposes.