Tag Archives: 2FA

GitHub Will Require All Users Who Contribute Code to Enable 2FA



GitHub announced that it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentications (2FA) by the end of 2023. This is part of GitHub’s platform-wide effort to secure the software ecosystem through improving account security.

GitHub described their reasoning for requiring 2FA this way:

The software supply chain starts with the developer. Developer account are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step towards securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.

According to GitHub, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.

GitHub continues by pointing out that compromised accounts can be used to steal private code or push malicious changes to the code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.

Protocol reports that just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com’s 83 million users, and is being announced well in advance to “make sure we get this right” in terms of user experience for developers, said Mike Hanley, chief security officer at GitHub.

According to Protocol, the announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential for security risks of open source software components. This is due in part to rising attacks against software supply chains – which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.

In my opinion, it is a very good idea to put 2FA on everything – even if you don’t happen to post code on GitHub. Two-factor identification is a great way to prevent someone from stealing your social media accounts, breaking into your personal website, or preventing you from accessing your most frequently used email accounts. It makes sense for GitHub to be requiring 2FA.


Stay Safer with 2FA and a YubiKey



In the past couple of weeks I’ve received three notifications from haveibeenpwnd informing me that a couple of organisations didn’t do a good enough job keeping my info secure. While it’s always going to be a good idea to change your login and password, any sites that use 2FA significantly reduce the value of stolen credentials (as long as you’ve signed up for the 2FA option!)

What’s 2FA? Two Factor Authentication. Still not clear? Maybe you’ve used a web site that’s texted your phone with an extra number or code that needs typed in before you are let in to your account. That number is a “second factor” and you’re using 2FA to get into the web site. Excellent choice. 2FA is good because it means that even if ne’er-do-wells steal your details from a sloppy site, they don’t have access to your phone, so they can’t get any further. However, SMS authentication is not perfect – there are some vulnerabilities typically using “man in the middle” attacks.

If you want to take your online authentication to the next level, you might want to consider a physical security key for your second factor. This isn’t a key like you’d use in a lock, but a USB key that doesn’t look too dissimilar to a memory stick. A good example is Yubico‘s YubiKey 4 series range, which supports a wide range of protocols including “FIDO U2F, smart card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response” and can be used with many of the big names like Google, Facebook and Dropbox. The keys can be used for authentication when logging onto PCs too (depending on OS, version etc.)

As an end user, you don’t need to know all the technical stuff, only that it’s a very safe way of authentication and it’s simple to use. To get started, you first associate the security key with your account, and the next time you try to logon to the service, you’ll be prompted to insert the security key into a USB slot (or swipe for NFC keys). You can use one key for multiple sites.

Yubico provides YubiKeys for different use cases. There’s the standard YubiKey 4 which is designed to go on a keyring (keychain) and works with USB A. The YubiKey 4C  also goes on a keyring but works with USB C. The 4 Nano and 4C Nano are smaller and are intended for semi-permanent installation in USB A and C sockets respectively. For NFC applications, such as suitably-equipped smartphones, there’s the YubiKey NEO. Physically, the keys are tough. Allegedly, they can go through the washing machine and get run over by a car, though I didn’t try any of these.

Here I have a YubiKey 4 and 4 Nano (shown left) and they both work in the same way – the only difference is the size and what you touch to activate the key. Let’s take a look at getting Google setup with a YubiKey.

Login to your Google account, say via Gmail. Click up on the top right where your “headshot” is and then click again on “My Account”.

Head on into “Signing in to Google”. I’ve blanked out a few sensitive items.

2-Step Verification is what you want. Hopefully, you’ve already got this turned on but if not, go ahead and get this sorted out. This page shows the factors you can use for 2FA. Security keys are topmost with text messages and backup codes below (not shown).

Click on “Add Security Key”.

Get the YubiKey ready and insert when instructed. Hit Next.

On the YubiKey 4, the “Y” logo on the key will flash – tap with your finger to confirm. On the Nano, tap inwards on the end of the key. Once the YubiKey has registered, you can give it a name.

And that’s it – all set and ready to go. The next time you login to Google on a computer that you haven’t used before you’ll be prompted to insert your YubiKey to prove who you are. Super secure!

Other services are similar. Here’s part of the Dropbox procedure.

And Facebook…

Supported sites are listed here and you’ll recognise a good few of the names.

If you can see the benefits of secure 2FA, the YubiKeys can be purchased from the Yubico online store. The YubiKey 4 is US$40 and the 4 Nano is US$50, with similar prices in GB£ from amazon.co.uk.

The 4 series can do a whole lot more, and if you just want the basics, then a YubiKey 3 at only US$18 is a good start. I personally bought one of these awhile ago to secure my Google account.

Thanks to Yubico for providing the YubiKeys for review.