Updated April 3, 2023
Introduction to GitHub Two Factor Authentication
Over and above the User name and Password to gain access to the user’s account, GitHub provides one more layer of security to its users in the form second level of Authentication and it is called GitHub 2FA (two factors of Authentication). It is the general login procedure followed in most modern websites and Apps to strengthen access security levels.
The second password, generated by GitHub is sent as an SMS message on the User’s registered mobile device and the User will have to input the second password in the login screen correctly to get into the application. The second password can also be generated through an Apps installed on the User’s mobile device.
Preparations required for 2FA
The following preparatory steps will have to be carried out to implement GitHub 2FA.
- Organizations will have to decide whether they need two-factor authentication to be enabled for all its users both internal and external.
- If so, their Security policy will have to be updated.
- Fix the Implementation date
- Take an inventory of users who already used 2FA
- Inform the rest of the users (both internal and external users) about the changeover and send a warning that if they don’t switch over before the cut-off date their access will be removed and they will not be able to access the repositories.
- Users can be given the option to receive the second password as SMS in their Mobile phone or they themselves can generate it through an app installed in their mobile.
- Details of the 2nd password generating apps, the way apps will have to be downloaded and installed, the method of generating 2nd password will have to be clearly communicated to all the users.
- With some grace time, the users who have not migrated to 2FA can be deactivated.
GitHub is interested in protecting the interest of developers while allowing them to access their latest products and ensure that their accounts are not compromised and subjected to hacks. Some of the initiatives include Webauthn support, device verification, avoiding compromised passwords, and secured shell Git operations.
Tightened Security for Git operations
GitHub has tightened security levels for Git operations and with effect from Aug 2021, there will be no normal password authentication for GIT users and they need access tokens, secured shell script keys, App tokens, or OAuth for any code related transactions in GIT.
2FA enabling for GitHub
GitHub recommends 2FA for all its users in order to protect them from Phishing attacks. There are several options for using GitHub 2FA such as
- Security Keys in Physical form – YubiKeys
- Security Keys in Virtual form, that are built into personal devices of the users (Phones and Laptop) enabled using WebAuthn technologies similar to Face ID/Touch ID or Windows Hello
- One Time Passwords with time limit generated using Authenticator apps installed n User’s mobile device
- Text Message (SMS) delivered by GitHub central servers
Though the SMS option looks to be easy and simple to implement, GitHub recommends against using this option since it is not safe and secure like other options on the table and NIST 800-63B does not endorse the usage of SMS. The best method to be followed as recommended by GitHub is Virtual keys using WebAuthn standard. GitHub has also invested a lot in R&D on this personal device-based bio-metric technology involved touch-based or face scanning.
Using Security keys further
Post getting the security key and making the account secured, users can add further functionalities to it. Users can add digital signatures to the commits with help of a GPS key which is available as part of the security key. Comprehensive documentation, videos are available in GitHub for setting up YubiKey baed commit verification and authentication based on Shell scripts.
Setting up GitHub 2FA
As explained above there are three ways of adopting 2FA in GitHub. One is the security key using the private device and the second one is the password through an app installed in the device and the third one is the SMS.
GitHub recommends installing a time-bound one-time password (TOTP) generation application in the mobile device. This is the most preferred than SMS due to its lower dependence on telephone networks. TOTP also supports backing up Authentication codes in the cloud and it can be retrieved quickly in case of any issues.
User settings of managed users will have to be configured by the respective identity providers and not by any other persons.
Configuring TOTP mobile app for 2FA
TOTP application when installed generates One time Password automatically set with a time limit after which it elapses. There are several apps in the market and some of them are
- Microsoft Authenticator
- LastPass Authenticator
During setup, QR Code should be scanned using the device where the user wants to install the TOTP app. If the device is already is loaded with some other 2FA, the security setting must be tweaked to install a new app.
Steps to be used
1. TOTP app should be downloaded on the mobile device
2. Get into the profile section and Choose Settings
3. In the Account Security, Choose the Two-factor Authentication option
4. Choose the Setup option in the app and proceed
5. QR code would be displayed in GitHub and it should be scanned with the mobile and the app will display 6 digit code
6. Six digit code should be entered in GitHub
7. As an alternate to QR code scanning, the text code will have to be entered manually to complete the operation in the app.
8. TOTP app saves the account details in GitHub.
9. From this point onwards TOTP generates a six-digit code at a frequency of a few seconds. It can be used in GitHub to gain access.
10. Recovery code should be downloaded and saved which will help the users to get back access to their account
11. The device is 2FA enabled in GitHub now and it is ready for use.
A similar configuration setting is available for SMS and Security key.
Conclusion – GitHub Two Factor Authentication
In this article, we have seen features of GitHub 2FA and the way to install and use them. 2FA protects users from a security attack, avoids downtime, and improves their productivity.
This is a guide to GitHub Two Factor Authentication. Here we discuss the definition, preparation, examples with code implementation. You may also have a look at the following articles to learn more –