- Read this: https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
- What is the definition of multi factor auth?
- What does multi factor provide?
- What does it not provide?
- Download GoogleAuth
- Enable Multifactor on your Lastpass Account. Read through the options https://www.lastpass.com/multifactor-authentication and see what the different varieties are.
- Enable Multifactor on your GitHub
- From a risk perspective, do you really need multifactor on your github?
- Remove multifactor from your Github
- Put multifactor on whatever other accounts you think deserve that level of protection. https://twofactorauth.org/
- Read this: https://web.archive.org/web/20180422212245/https://www.yubico.com/why-yubico/how-yubikey-works/
You could probably get a couple, and then set it up with https://landing.google.com/advancedprotection/. Google's Advanced Protection is the best you can get right now, but you probably don't need it. My philosophy is I can't properly tell people to do things for their security if I don't do it myself and understand the pain points. For the record, I don't use it. Too inconvenient when I'm on a ship and can't log in to things.
A brief note: Cell phone text messagesaka SMS are commonly used for multifactor auth. These are not great, because a) someone can steal your phone number and get the texts sent to them https://www.wired.com/story/sim-swap-attack-defend-phone/ b) intercept of text messages https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls
However, those things are not in your threat model unless you are famous or have cryptocurrency wallets.
Another note: Just because you have 2 factor doesn't mean you can't get phished for it!