The ability to install something like winauth plus the secret written down so I can use it or some online service with saved settings that can get hacked or can get switched off tomorrow.
So you want a solution for
two factor without adding anything? Have fun with that.
All the synthetic constraints you choose to add (not installing any software on any device, or having a hardware token) are the problem here, not Github.
So multi device access to github ends with this 2fa implementation unless you authenticate using a device you carry with you all the time
Github are not enforcing that, you have choices for 2fa with Github that are distributable/reproducible. All these imagined problems exist with you and not with Github.
That is not true. How do I go to a random computer and log into github?
By bringing your choice of second factor along, it can be as (in)secure as you like. One solution is you just remember the secret TOPT setup key, just as you would for a password, or write it down. There are RFC 6238 implementations that do not require install (and some even run in a browser if you really want to avoid "apps") and you can bring the key to them as/when you want.
SMS, and apps are less secure than a password known only to one person and never written anywhere
two factor, the second factor only adds to the security of the password, it does not subtract from it. You still provide a password. Just to double check I signed out of Github and when signing back in on the same computer/browser/session it asked for a username and
both the password and 2fa.
Your cries of doom (without explaining the arbitrary constraints that led you to them) are the sort of mis-information around 2fa which needs to be stomped out. Github are one of the best examples out there and providing excellent options for people to get on board with 2fa