Why would you want to bypass 2FA? Yes, it makes logins slightly more annoying, but the security benefits far outweigh the annoyance of typing in a six-digit code when you log into a new device.
As far as I know there is no way to bypass 2FA on GitHub (with the possible exception of deleting all your repositories, but I don't know if they'd let you turn it off at that point).
One possibility is that maybe they don't care about their Github account that much.
I stopped using Twitch when they started forcing 2FA. I didn't really care about my account. I only created it so that I would have a list of the streamers I follow on the left side. But logging in with 2FA was too much work just to be able to see the list, so I stopped using Twitch altogether.
Another use case is to disable Github 2FA so that I can enable 2FA on my email account:
I store my (encrypted) KeePassXC database on Github, but on a new computer I need to log into my email to be able to 2FA into Github, so I have to disable email 2FA because I store the TOTP codes on the KeePassXC database.
If Github didn't have 2FA, I would just login with my password, download the KeePassXC db, decrypt it, and be able to generate TOTP codes for my email.
> I store my (encrypted) KeePassXC database on Github
Why not signup for a cloud storage provider, and store the encrypted password there? Then shorten the link and printout both versions for you to use (the longer is if the shortened version no longer work).
I guess there are two problems it causes that you might want to solve: the annoyance of the extra ceremony and the risk of losing access because you lose the key.
If you don't need more security on top of your existing (presumably high entropy) password, the latter problem might be solved by publishing the totp key. The GitHub bio box is public, mostly pointless and a sensible size...
The former might be solved with a bookmarklet that embeds the key and fills out the relevant form automatically. If you're going to publish the key, presumably publishing this in as convenient a form as possible also makes sense.
For a few accounts I prefer convenience, my "2FA bypass" takes half a second typing - "`1", which expands to a call to https://github.com/rsc/2fa using Typinator and puts the code inline...
would you mind sharing how exactly? could be something i could use but i don't think I'll be using typinator but wanted to understand the process better
Sure, take a look at the write-up here: https://github.com/rsc/2fa and once you have it working on command line, its just a little wrapper with AutoHotKey/Typinator I guess.
You can't, because Github like so many other bad companies have decided to externalize security on to users, forcing them into 2FA so they don't have to pay to support all the irresponsible people whose accounts get compromised. Make no mistake, this is 100% a financial decision that has nothing to do with any security.
1) Depends on the risk assessment each of us does.
2) Security <> Convenience
I invest with a couple of different brokers. Some require only username+password. Some have the extra SMS/2FA. There is one where I get an automated phone-call and I have to answer, and type the digits shown on the screen. Every 1st of the month I do 'the rounds' in every account I have (bank, broker, cash) and write down on a spreadsheet my 'net worth' so I can track progress, forecast, see with a nice line how much up or down it goes, etc. (friendly suggestion - all people should be doing that); so it amuses me to see so many different authentication mechanisms across the Finance world.
As far as I know there is no way to bypass 2FA on GitHub (with the possible exception of deleting all your repositories, but I don't know if they'd let you turn it off at that point).