Over the next nine months, the Internet’s largest hosting service for software development and collaboration will require all code contributors to add another layer of electronic evidence to their accounts.
GitHub, used by the majority of large technology companies, announced that it deploys 2FA. Recognizing the increased supply chain security risks, the company begins a nine-month rollout on Monday, March 13. All developers who contribute code to the platform will eventually have to adopt the security protocol, the company announced Thursday.
SEE: Recruitment Kit: Full Stack Developer (TechRepublic Premium)
The Microsoft-owned DevOps department said the move aligns with the National cybersecurity strategywhich, among other things, places responsibility and more responsibility for security on software vendors.
Jump to:
Being a developer does not make you invulnerable
Even developers do errors and may be subject to security breaches. Mike Hanley, Director of Security and Senior Vice President of Engineering at GitHub, written in a blog from May 2022 – who first mentioned the 2FA plan – that compromised accounts can be used to steal private code or make malicious changes to that code.
“This endangers not only the individuals and organizations associated with the compromised accounts, but also all users of the affected code,” he wrote. “The potential for downstream impact on the wider software ecosystem and supply chain as a result is substantial.”
SEE: How to Minimize Security Risks: Follow These Best Practices for Success (TechRepublic Premium)
Different 2FA choices, but biometrics and security keys trump SMS
GitHub also offers a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys, or GitHub Mobile. However, the company urges users to use security keys and TOTPs, noting that SMS-based 2FA is less secure.
NIST, which no longer recommend 2FA, pointed out that:
- An out-of-band secret sent via SMS can be received by an attacker who convinced the mobile operator to redirect the victim’s cell phone to the attacker.
- A malicious application on the device can read an out-of-band secret sent by SMS and the attacker can use the secret to authenticate.
“The most powerful methods widely available are those that support the WebAuthn secure authentication standard,” GitHub said in its announcement. “These methods include physical security keys as well as personal devices supporting technologies such as Windows Hello or Face ID/Touch ID.”
SEE: 1Password looks to a passwordless future. here’s why (TechRepublic)
GitHub said it is also testing access keysthe next-generation identification protocol, as a defense against exploits such as phishing.
“Because security keys are still a newer method of authentication, we are working to test them internally before rolling them out to customers,” a spokesperson said. “We believe they will combine ease of use with strong, phishing-resistant authentication.”
Latest move keeps pace with GitHub security programs
In a move toward closing loopholes to combat threat actors, GitHub has expanded its secret analysis program last fall, allowing developers to track all publicly exposed secrets in their public GitHub repository.
And earlier this year, GitHub launched a configuration option for code analysis called “default configuration” which allows users to automatically enable code analysis.
“Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security,” the company said in a statement, noting that developer accounts are targets. social engineering and account takeover.
Deployment over several months to minimize disruption and optimize protocols
The process for releasing new protocols aims to minimize disruption to users, with groups selected based on actions they’ve taken or code they’ve contributed, according to GitHub. (Fig.A).
Figure A
The company said the slow rollout will also make it easier for GitHub to make necessary adjustments before moving to larger and larger groups over the course of this year.
A GitHub spokesperson explained that while the company doesn’t offer details on how users qualify to be part of certain groups in the 2FA cadence, the person said groups are determined, in part, according to their impact on the security of the wider ecosystem. High impact groups will include users who:
- Published GitHub or OAuth applications, Actions or packages.
- Created a release.
- Contributed code to repositories deemed critical by npm, OpenSSF, APIPy Or Ruby Gems.
- Code contributed to one of the four million largest public and private repositories.
- Act as corporate and organizational administrators.
For those with a proactive bent, the company offers 2FA immediately to a dedicated to place.
GitHub offers developers a 2FA timeline
The process for GitHub contributors sets several time markers to launch 2FA around a soft deadline (Fig.B).
Figure B
Before the deadline
GitHub contributors selected for a 2FA pending group will receive a pre-notification by email 45 days before the deadline, informing them of the deadline and offering guidance on how to enable 2FA.
Once the activation time has passed
Notified individuals will be prompted to enable 2FA the first time they access GitHub.com each day. They can snooze this prompt once a day for up to a week, but after that they won’t be able to access any features on GitHub.com until they enable 2FA.
28 days after 2FA activation
Users will receive a 2FA “checkup” when using GitHub.com, which validates that their 2FA setup is working properly. Previously logged in users will be able to reconfigure 2FA if they misconfigured or misplaced second factors or recovery codes during onboarding.
Email flexibility to avoid locking
Fortunately, new protocols allow users unlink email from a 2FA-enabled GitHub account to avoid the paradox of being locked out of the very thing – email – that allows them to verify the account if they can’t log in or recover it.
“If you can’t find an SSH key, PAT, or device that’s been logged into GitHub before to recover your account, it’s easy to start fresh with a new GitHub.com account and keep this contribution graph legitimately green,” the company said.
