If someone doesn't have a smartphone or other mobile device, and is running Windows on his laptop, is there a way to set up 2FA at Github, or is he just SOL?
Many password managers that you might use, like Keepass, or 1Password, can also function as TOTP generator. Of course you should evaluate the security implications of this. It's definitely a step down from having the secret stored on a separate device (mobile phone).
"Classic" github tokens are about 36 random characters long.
Newer "fine-grained" tokens are about 80 random characters long.
These are *much* stronger than your typical web account password.
And SSH private keys are much longer than that. And is an asymmetric system, so the private key is never transmitted. Plus SSH keys have the ability to protect them with a passphrase (two factor) and optionally remembering this passphrase for the duration of the session built in. I don't understand jumping through so many hoops just to be able to use HTTPS, unless you are behind a very restrictive firewall. But Github allows SSH over port 443, so even that's not a very convincing argument. What advantage do you see of using HTTPS instead of SSH for authenticated access?
However the "Git Credential Manager" (sometimes referred to as "Git Credential Manager Core") is a separate project that adds credential management using a system's secure storage (ie., the Windows Credential Manager on Windows) as well as supports actual 2FA authentication.
Until you run into an URL of more than 256 characters (happens with some automatically-generated URLs), then the Windows Credential Manager is useless and you have to fall back to plain text store. I haven't seen this issue on Linux or Mac, fortunately.