GitHub rolling out 2FA to millions of users

GitHub rolling out 2FA to millions of users

A mobile phone is placed on the computer keyboard.  On the screen is an image of the GitHub logo.
Photo: Prima91

GitHub, used by most major technology companies, has declared that it issues 2FA. Recognizing supply chain security risks, which are on the rise, the company will begin a nine-month rollout on Monday, March 13. All developers who contribute code to the platform will eventually have to adopt a protocol of security, the company announced Thursday.

SEE: Hiring kit: Full stack developer (TechRepublic Premium)

The Microsoft-owned DevOps service said the move is in line with National Cybersecurity Strategywhich, among other things, places responsibility and greater security responsibility on software vendors.

Jump to:

Being a developer doesn’t make you invulnerable

Even developers do mistake and may become victims of security breaches. Mike Hanley, chief security officer and senior vice president of engineering at GitHub, wrote in a blog in May 2022 — which mentioned the 2FA plan for the first time — that compromised accounts could be used to steal private code or push malicious changes to that code.

“This puts not only the individuals and organizations associated with the compromised accounts at risk, but also anyone using the affected code,” he wrote. “The potential for downstream impact on the broader software ecosystem and supply chain is huge as a result.”

Justin Cappos, a professor of computer science at NYU and co-developer of the in-toto and Uptane software security frameworks, said Github’s adoption of 2FA is a critical first step in addressing a major problem.

“Getting code into an organization is one of the worst types of attacks that someone can do. So protecting the way that people work with code, which now often means making in the code via GitHub, is really key. To the extent that they make it more difficult for attackers to do this, is a big positive,” he said.

SEE: How to reduce security risks: Follow these best practices for success (TechRepublic Premium)

Various 2FA options, but biometrics and passkeys are superior to SMS

GitHub also offers a preferred 2FA option for account login using the sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. However, the company is compelling users to go to security keys, including physical security keys, such as Yubikey, and TOTPs, mentioning that SMS-based 2FA is less secure.

NIST, that is no longer recommend 2FA, pointed out that:

  • An out-of-band secret sent via SMS can be received by an attacker who convinces the mobile operator to redirect the victim’s mobile phone to the attacker.
  • A malicious endpoint app can read an out-of-band secret sent via SMS and the attacker can use the secret to authenticate.

“The strongest methods widely available are those that support the WebAuthn secure authentication standard,” GitHub said in its announcement. “These methods include physical security keys as well as personal devices that support technologies such as Windows Hello or Face ID/Touch ID.”

Cappos said the importance of the diversity of 2FA methods cannot be overstated. “For 2FA, not everything is the same. Yubikeys, for example, are the gold standard because you physically have to steal a key to cause something to happen,” he said.

SEE: 1Password is looking for a password-free future. Here’s why (TechRepublic)

GitHub says it’s also trying passkeysthe next-generation credential protocol, as a defense against exploits such as phishing.

“Because passkeys are still a newer method of authentication, we’re working hard to test them internally before we roll them out to customers,” a spokesperson said. “We believe they will combine ease of use with strong and phishing-resistant authentication.”

The latest move follows the rhythm of GitHub’s security programs

In a step toward closing loopholes to combat threat actors, GitHub has expanded it secret scan program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.

And earlier this year, GitHub has launched a setup option for code scanning called “default setup” which allows users to automatically enable code scanning.

“Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security,” the company said in a release, noting that developer accounts are social engineering and account takeover target.

Monthly rollout to minimize disruption, optimize protocols

The process for deploying the new protocols is intended to minimize disruption to users, with groups selected based on the actions they’ve taken or the code they’ve contributed, according to GitHub (Picture A).

Figure A

A flowchart illustration of the software supply chain and key security measures.
Image: GitHub. Securing the software supply chain starts with user accounts.

The company said the slow rollout will also make it easier for GitHub to make adjustments as needed before scaling to larger and larger groups over the course of the year.

A spokesperson for GitHub explained that, while the company would not offer details on how users qualify to be part of certain groups in the 2FA cadence, the person said that the groups are defined, in part, based on their impact on the security of wider ecosystem. High-impact groups will include users who:

  • Published GitHub or OAuth apps, Actions or packages.
  • Created a release.
  • Contributed code to repositories considered critical by npm, OpenSSF, PyPI or RubyGems.
  • Contributed code to any of the estimated top four million public and private repositories.
  • Act as business and organizational managers.

For those with a proactive bent, the company offers 2FA immediately on a dedicated place.

GitHub offers developers a 2FA timeline

The process for GitHub contributors sets several time markers for the initiation of 2FA with a weak deadline (Picture B).

Picture B

A color-coded timeline from GitHub that details when different groups will need to meet different 2FA deadlines.
Image: GitHub. Timeline for 2FA for GitHub contributors.

Before the deadline

GitHub contributors selected for a pending 2FA group will receive an advance notification via email 45 days prior to the deadline, informing them of the deadline and offering guidance on how to enable 2FA.

When the activation deadline has passed

Notifiers will be prompted to enable 2FA the first time they access each day. They can snooze this prompt once a day for up to a week, but after that, they won’t be able to access features until they enable 2FA.

28 days after enabling 2FA

Users will receive a 2FA “check-up” while using, confirming that their 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if it was misconfigured or they entered secondary factors or recovery codes during onboarding.

Email flexibility to avoid lockout

Fortunately, new protocols allow users unlink the email from a 2FA-enabled GitHub account to avoid the irony of being locked out of the very thing — email — that allows them to verify the account if they’re unable to sign in or recover it.

“If you can’t find an SSH key, PAT, or device previously signed in to GitHub to recover your account, it’s easy to start fresh with a new account and keep that contribution graph green, ” said the company.