GitHub is a weak link in the software supply chain. Finally, Microsoft is doing something about it — by forcing users into two-factor authentication (2FA).
Unfortunately, SMS is still an option, but at least you don’t have to use it. WebAuthn keys and TOTP are where you should be looking, plus there’s a dedicated GitHub app. Passkeys support isn’t there yet, but it’s “coming soon.”
No need to wait until you’re forced. In this week’s Secure Software Blogwatch, we set it up now.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Clip art.
What took you so long?
What’s the craic? Sergiu Gatlan reports — “GitHub makes 2FA mandatory”:
“Blocked from accessing some features”
GitHub will start requiring active developers to enable two-factor authentication (2FA) on their accounts. … This is the company's latest move towards securing the software supply chain by moving away from basic password-based authentication.
The gradual rollout will start … with GitHub reaching out to smaller groups of administrators and developers via email and will speed up as the end of the year approaches. [When] your account is selected for enrollment, you will receive an email and see a banner on GitHub.com requesting you to enroll. … Then you'll have 45 days … during which you can keep using your GitHub account as usual, except for occasional reminders.
Developers can use one or more 2FA options, including physical security keys, virtual security keys built into mobile devices like smartphones and laptops, Time-based One-Time Password (TOTP) authenticator apps, or the GitHub Mobile app (after configuring TOTP or SMS 2FA). [If you miss] your enablement deadline … you will be prompted to enable 2FA … and blocked from accessing some features until 2FA is toggled on.
Blocked, you say? Steven J. Vaughan-Nichols reacts accordingly — “No More Mr. Nice Guy”:
“SMS 2FA is better than nothing”
I can only say this: “It’s about time!” … Software supply chain attacks have become commonplace. One of the easiest ways to protect your code is to use 2FA.
Yes, I know many of you will find this very annoying. Trust me — it’s worth it. Otherwise, sooner or later, your code repositories will be hacked. It’s not “if,” it’s when.
Let me underline a point GitHub makes: … SMS 2FA is better than nothing, but if someone really wants to crack your account, SMS 2FA is the easiest method to crack. Personally, I recommend either a free Google … Microsoft Authenticator; the open source Bitwarden; or a YubiKey or Google Titan key.
Wait. Pause. No Passkeys? GitHub’s Laura Paine and Hirsch Singhal clarify — “Raising the bar for software security”:
“Improve the security of the software supply chain”
We’re already testing Passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. [But today] you can choose between TOTP, SMS, security keys, or GitHub Mobile.
We strongly recommend the use of security keys and TOTPs. … SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B. The strongest methods widely available are those that support the WebAuthn secure authentication standard [which] include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.
Open source software is ubiquitous, with 90% of companies reporting that they use open source in their proprietary software. GitHub is a critical part of the open source ecosystem, which is why we take ensuring account security seriously. … We can’t improve the security of the software supply chain without you.
Don’t delay. Do it today, pleads OllieJones:
“Please do it”
Fellow citizens of GitHub, please comply with this 2FA requirement. Please do it cheerfully. And … if you are not sure why you should do it cheerfully, please read up on this corner of information security … called defense-in-depth. If cybercreeps break one level of defense (actually when, not if) then we really want another equally daunting one to keep slowing them down.
The way GitHub does the second-factor thing, it is not a big ongoing nuisance. Just click the Trust This Machine button someplace in their signon workflow, I forget where, I haven't seen it in, like, forever.
I possess two YubiKeys. … I keep them in different places. One has been riding around in my pocket on my keyring for … five years. Dropped into puddles, went through the wash once, works just fine. This FIDO / U2F stuff works, friends. It works well. It's easy to add to your personal workflow. Please do it.
But what if I’m a smartphone-eschewing tin-foil hatter? andrewfromx has your back:
oathtool --totp -b 'someCode' — same as any authenticator app but you don't have to take out your phone.
On a Mac it's brew install oath-toolkit … then I alias in .zshrc: …
alias auth_twitter="oathtool --totp -b 'someCode'" and backup my whole .zshrc file with all the codes. … 2FA is so easy when it's just a command line thing to run.
Sounds good. dskoll likes the idea but urges caution:
This obviously reduces security because now your TOTP secret is on the same device you're using to access GitHub. But it's a workable solution — just keep your TOTP secrets in an encrypted volume.
What could possibly go wrong? Trust u/jokasx to bring reality crashing down:
It's all fun and games until you are away from home, on a different computer you don't own and/or the phone battery died. And usually all of those happen at the same time.
And etr has concerns:
My browser is set to delete cookies and stored data when closed, and I typically reopen the browser between sites. This means cached logins are not a thing for me. [And I] need a password manager.
The net effect is that 2FA would could mean juggling two apps … which would be a royal pain. [And] that's really starting to resemble 1FA. … More research is in order.
Meanwhile, should you insist on using SMS, jjgreen snarks it up:
We promise that all of those lovely mobile phone numbers won't be used for marketing purposes.
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.