So now I'm at an impasse. How do I get the code? Well, Github has a backup -- it will SMS the code to your phone! When it said this I just kind of chuckled to myself as I also had seen the h3h3 video. Sure enough, it texted me the GA code and I got back in control of my account.
Github actually provides a list of emergency codes that you can print out and use as a last resort. I had printed these before and actually had them available, but forgot about that process.
Github is trying so hard to have your account secure, but yet the SIM card cloning threat is still there.
I just don't use an authenticator app at all. Some password managers (e.g. 1Password) have support for storing TOTP. So, as long as I can access my 1Password vault (use a strong password!), I can access my TOTP codes.
Besides that, I prefer U2F, which is supported by GitHub.
Oh that's a great idea! Never thought of that, thanks for sharing.
Protip: Don't allow your TFA app/hardware to be a single point of failure. Don't upgrade your reserve TFA device/apps until you're 100% sure the upgrade on your primary TFA device/app has worked smoothly.
Anyway, I have one time codes for all accounts I use 2FA with. Google generates these one time codes as TOTP substitutes, LastPass generates them as a one time master password that's TOTP exempt. Amazon you have to send an email and they'll call to verify and then unset 2FA on the account.
(It's a little telling that none of the downvoters attempted to refute any of the facts…)