GitHub: Two Factor Authentication

About GitHub

GitHub, Inc. is a provider of Internet hosting for software development and version control using Git. It offers the distributed version control and source code management (SCM) functionality of Git, plus its own features. It provides access control and several collaboration features such as bug tracking, feature requests, task management, continuous integration, and wikis for every project. Headquartered in California, it has been a subsidiary of Microsoft since 2018.

About GitHub Two Factor Authentication

Over and above the User name and Password to gain access to the user’s account, GitHub provides one more layer of security to its users in the form second level of Authentication and it is called GitHub 2FA (two factors of Authentication). It is the general login procedure followed in most modern websites and Apps to strengthen access security levels.

The second password, generated by GitHub is sent as an SMS message on the User’s registered mobile device and the User will have to input the second password in the login screen correctly to get into the application. The second password can also be generated through an Apps installed on the User’s mobile device.

Steps to be used

Preparations required for 2FA

The following preparatory steps will have to be carried out to implement GitHub 2FA.

• Organizations will have to decide whether they need two-factor authentication to be enabled for all its users both internal and external.
• If so, their Security policy will have to be updated.
• Fix the Implementation date
• Take an inventory of users who already used 2FA
• Inform the rest of the users (both internal and external users) about the changeover and send a warning that if they don’t switch over before the cut-off date their access will be removed and they will not be able to access the repositories.
• Users can be given the option to receive the second password as SMS in their Mobile phone or they themselves can generate it through an app installed in their mobile.
• Details of the 2nd password generating apps, the way apps will have to be downloaded and installed, the method of generating 2nd password will have to be clearly communicated to all the users.
• With some grace time, the users who have not migrated to 2FA can be deactivated.

Securing 2FA

GitHub is keen on securing the premium of engineers while permitting them to get to their most recent items and guarantee that their records are not compromised and exposed to hacks. A portion of the drives incorporate Webauthn support, gadget check, staying away from compromised passwords, and got shell Git tasks.

Tightened Security for Git operations

GitHub has tightened security levels for Git operations and with effect from Aug 2021, there will be no normal password authentication for GIT users and they need access tokens, secured shell script keys, App tokens, or OAuth for any code related transactions in GIT.

2FA enabling for GitHub

GitHub recommends 2FA for all its users in order to protect them from Phishing attacks. There are several options for using GitHub 2FA such as:

• Security Keys in Physical form – YubiKeys
• Security Keys in Virtual form, that are built into personal devices of the users (Phones and Laptop) enabled using WebAuthn technologies similar to Face ID/Touch ID or Windows Hello
• One Time Passwords with time limit generated using Authenticator apps installed n User’s mobile device
• Text Message (SMS) delivered by GitHub central servers

Though the SMS option looks to be easy and simple to implement, GitHub recommends against using this option since it is not safe and secure like other options on the table and NIST 800-63B does not endorse the usage of SMS. The best method to be followed as recommended by GitHub is Virtual keys using WebAuthn standard. GitHub has also invested a lot in R&D on this personal device-based bio-metric technology involved touch-based or face scanning.

Using Security keys further

Post getting the security key and making the record got, clients can add further functionalities to it. Clients can add advanced marks to the submits with assistance of a GPS key which is accessible as a feature of the security key. Thorough documentation, recordings are accessible in GitHub for setting up YubiKey baed submit check and validation dependent on Shell scripts.

Setting up GitHub 2FA

As explained above there are three ways of adopting 2FA in GitHub. One is the security key using the private device and the second one is the password through an app installed in the device and the third one is the SMS.

GitHub recommends installing a time-bound one-time password (TOTP) generation application in the mobile device. This is the most preferred than SMS due to its lower dependence on telephone networks. TOTP also supports backing up Authentication codes in the cloud and it can be retrieved quickly in case of any issues.

User settings of managed users will have to be configured by the respective identity providers and not by any other persons.

Configuring TOTP mobile app for 2FA

TOTP application when installed generates One time Password automatically set with a time limit after which it elapses. There are several apps in the market and some of them are:

• AUthy
• 1Password
• Microsoft Authenticator
• LastPass Authenticator

During setup, QR Code should be scanned using the device where the user wants to install the TOTP app. If the device is already is loaded with some other 2FA, the security setting must be tweaked to install a new app.

Steps to be used

1. TOTP app should be downloaded on the mobile device
2. Get into the profile section and Choose Settings
3. In the Account Security, Choose the Two-factor Authentication option
4. Choose the Setup option in the app and proceed
5. QR code would be displayed in GitHub and it should be scanned with the mobile and the app will display 6 digit code
6. Six digit code should be entered in GitHub
7. As an alternate to QR code scanning, the text code will have to be entered manually to complete the operation in the app.
8. TOTP app saves the account details in GitHub.
9. From this point onwards TOTP generates a six-digit code at a frequency of a few seconds. It can be used in GitHub to gain access.
10. Recovery code should be downloaded and saved which will help the users to get back access to their account
11. The device is 2FA enabled in GitHub now and it is ready for use.

A similar configuration setting is available for SMS and Security key.

Conclusion

In this article, we have seen elements of GitHub 2FA and the method for introducing and use them. 2FA shields clients from a security assault, dodges vacation, and further develops their efficiency.