GitHub rolls out 2FA to millions of users

Over the next nine months, the Internet’s largest hosting service for software development and collaboration will force all code contributors to add another layer of electronic evidence to their accounts.

Image: Prima91

GitHub, used by the majority of major tech companies, has announced the launch of 2FA. Recognizing supply chain security risks, which are on the rise, the company is starting a nine-month rollout on Monday, March 13. All developers contributing code to the platform will eventually have to adopt the security protocol, the company announced Thursday.

SEE: Hiring Kit: Full Stack Developer (TechRepublic Premium)

The Microsoft-owned DevOps service said the move is in line with the National Cyber ​​Security Strategy, which, among other things, puts the onus and greater responsibility for security on software vendors.

Jump to:

Being a developer doesn’t make you invulnerable

Even developers make mistakes and can become victims of security breaches. Mike Hanley, chief security officer and senior vice president of engineering at GitHub, wrote in a May 2022 blog post — which first mentioned the 2FA scheme — that compromised accounts can be used to steal private code or push malicious changes in this code.

“This puts not only the individuals and organizations associated with the compromised accounts at risk, but also the users of the affected code,” he wrote. “The potential for consequential impact on the wider software ecosystem and supply chain as a result is significant.”

SEE: How to Minimize Security Risks: Follow These Best Practices for Success (TechRepublic Premium)

Different 2FA options, but biometrics and passwords override SMS

GitHub also offers a preferred 2FA option for account login with a sudo prompt, allowing users to choose between one-time passwords, SMS, security keys, or GitHub Mobile. However, the company urges users to use security keys and TOTP, noting that SMS-based 2FA is less secure.

NIST, which no longer recommends 2FA, noted that:

  • An out-of-band secret sent via SMS can be obtained by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker.
  • A malicious application on the endpoint can read an out-of-band secret sent via SMS and the attacker can use the secret for authentication.

“The strongest methods widely available are those that support the WebAuthn secure authentication standard,” GitHub said in its announcement. “These methods include physical security keys as well as personal devices that support technologies such as Windows Hello or Face ID/Touch ID.”

WATCH: 1Password looks to a password-free future. Here’s why (TechRepublic)

GitHub said it is also testing passwords, its next-generation credential protocol, as a defense against exploits such as phishing.

“Because passwords are still a newer method of authentication, we’re working to test them internally before rolling them out to customers,” a spokesperson said. “We believe they will combine ease of use with strong and phishing-resistant authentication.”

The latest move follows the pace of GitHub’s security programs

In a move to close loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.

And earlier this year, GitHub released a setting option for code scanning called “default setting” that allows users to automatically enable code scanning.

“Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security,” the company said in a statement, noting that developer accounts are targets of social engineering and account takeover.

Running for months to minimize downtime, optimize protocols

The process for rolling out the new protocols is intended to minimize disruption to users, with groups selected based on actions they’ve taken or code they’ve contributed to, according to GitHub (Figure A).

Figure A

A flowchart illustration of the software supply chain and important security steps.
Image: GitHub. Securing the software supply chain starts with user accounts.

The company said the slow rollout would also make it easier for GitHub to make adjustments as needed before scaling to larger and larger teams later this year.

A GitHub spokesperson explained that while the company wouldn’t offer details about how users qualify to join specific groups in the 2FA cadence, the person said groups are determined, in part, based on their impact on the safety of the wider ecosystem. High impact groups will include users who:

  • GitHub or OAuth published apps, actions, or packages.
  • Create a release.
  • Contribute code to repositories considered critical by npm, OpenSSF, PyPI, or RubyGems.
  • Contribute code to any of the approximately four million leading public and private repositories.
  • Act as managers of businesses and organizations.

For those of a proactive bent, the company offers 2FA instantly at a special location.

GitHub offers developers a 2FA schedule

GitHub’s contributor process sets multiple timelines for 2FA launch around a soft deadline (Figure B).

Figure B

A color-coded timeline from GitHub indicating when different groups will be required to meet different 2FA deadlines.
Image: GitHub. Timeline for 2FA for GitHub contributors.

Before the deadline

GitHub Contributors selected for a pending 2FA pool will receive advance email notification 45 days prior to the deadline informing them of the deadline and providing guidance on how to enable 2FA.

Once the activation deadline has passed

Those notified will be prompted to enable 2FA the first time they access each day. They can snooze this prompt once a day for up to a week, but after that, they won’t be able to access features until they enable 2FA.

28 days after enabling 2FA

Users will receive a 2FA “check-up” while using, which confirms that their 2FA setup is working properly. Previously logged in users will be able to reconfigure 2FA if they misconfigured or misplaced second factors or recovery codes during onboarding.

Email flexibility to avoid lock-in

Fortunately, new protocols allow users to unlink email from a 2FA-enabled GitHub account to avoid the paradox of being blocked by the very thing – email – that allows them to verify the account if they can’t log in or recover.

“If you can’t find an SSH key, PAT, or a device previously connected to GitHub to recover your account, it’s easy to start over with a new account and keep that contribution graph rightfully green “, he said. the company.

Leave a Reply

Your email address will not be published. Required fields are marked *