GitHub is transitioning users to 2FA

Get a free Techzine subscription!

GitHub users are urged by the platform to enable two-factor authentication, as it seeks to change how accounts are protected from attacks.

GitHub’s Mike Hanley posted a blog this week saying that beginning August 13, GitHub stopped accepting account passwords when authenticating Git operations.

The platform now needs users to deploy stronger authentication factors that include personal access tokens, OAuth, SSH Keys, or GitHub App installation tokens for all authenticated Git operations on the platform.

There are multiple options 2FA users can deploy on GitHub, including physical security keys, virtual security keys, and more.

GitHub ditches weak protections

Hanley added that passwords were not the only thing the platform ditched. It is taking other measures to ensure that verified devices are the only ones with access, to prevent the use of stolen passwords.

It also introduced WebAuthn and more after announcing the move in December.

Hanley said that if you have not enabled 2FA, you should take a moment to do so. The benefits of multifactor authentication, he added, are widely documented and protect against a lot of simple but effective tactics like phishing.

Strengthening security

GitHub is pushing users to take advantage of security keys or TOTPs instead of SMS since the latter does not provide the same level of protection and is no longer recommended under NIST 800-63B.

Hanley said that the strongest methods involve the WebAuthn secure authentication standard, some of which have provisions for physical security keys just to be sure. Once the account is secure, the users can use a GPG key stored on their security key to digitally sign their git commits.

Mark Risher, senior director of product management for Google’s Identity and Security platforms, spoke to ZDNet and expressed his company’s excitement to see the platform move beyond passwords and opt for stronger authentication methods.