Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

GitHub Encourages Users to Adopt Two-Factor Authentication

Software repository platform GitHub is once again encouraging users to enable two-factor authentication (2FA) to better secure their accounts.

The Microsoft-owned hosting service has had support for 2FA for eight years, and is now pushing for a wider use of the feature after it stopped accepting account passwords for authenticating Git operations.

Software repository platform GitHub is once again encouraging users to enable two-factor authentication (2FA) to better secure their accounts.

The Microsoft-owned hosting service has had support for 2FA for eight years, and is now pushing for a wider use of the feature after it stopped accepting account passwords for authenticating Git operations.

Initially announced in July 2020 and in effect starting August 13, 2021, the change requires the use of token-based authentication (personal access token, SSH keys, or an OAuth or GitHub App installation token) for all Git operations.

Following this switch, GitHub is now encouraging all of its users to enable 2FA to better protect their accounts, once again reminding them of the benefits of this feature, such as better protection against phishing and other types of attacks.

GitHub users who haven’t yet enabled 2FA on their accounts but wish to do so can use physical security keys for that, but also virtual security keys built into personal devices, Time-based One-Time Password (TOTP) authenticator apps, or SMS.

For more than half a decade, SMS has been considered an insecure 2FA option, and GitHub is strongly recommending the use of security keys or TOTPs instead, if possible.

“SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B. The strongest methods widely available are those that support the emerging WebAuthn secure authentication standard. These methods include physical security keys as well as personal devices that support technologies such as Windows Hello or Face ID/Touch ID,” GitHub notes.

Users who protect their accounts with a security key can also digitally sign git commits with a GPG key stored on that security key, the software hosting platform explains.

Advertisement. Scroll to continue reading.

Related: Why Are Users Ignoring Multi-Factor Authentication?

Related: New ‘Allstar’ App Enforces Security Best Practices for GitHub Projects

Related: GitHub Updates Policies on Vulnerability Research, Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.