Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Programming Security

GitHub Starts Mandatory 2FA Rollout Early for Some Users (github.blog) 171

By the end of 2023, GitHub will require all code contributors to enable two-factor authentication — part of "a platform-wide effort to secure software development by improving account security."

But on Monday they'll start rolling it out, according to a new blog post, reaching out to "smaller" groups of developers and administrators "to notify them of their 2FA enrollment requirement." If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You'll have 45 days to configure 2FA on your account — before that date nothing will change about using GitHub except for the reminders. We'll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com.

You'll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don't worry: this snooze period only starts once you've signed in after the deadline, so if you're on vacation or out of office, you'll still get that one week period to set up 2FA when you're back at your desk....

Twenty-eight (28) days after you enable 2FA, you'll be asked to perform a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors during onboarding.

GitHub's blog post says their gradual rollout plan "will let us make sure developers are able to successfully onboard, and make adjustments as needed before we scale to larger groups as the year progresses." InfoWorld summarizes the options: Users can choose between 2FA methods such as TOTP (Time-based One-Time Password), SMS (Short Message Service), security keys, or GitHub Mobile as a preferred 2FA method. GitHub advises using security keys and TOTPs wherever possible; SMS does not provide the same level of protection and is no longer recommended under NIST 800-63B, the company said.
Internally GitHub is also testing passkeys, according to their blog post. "Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain."
This discussion has been archived. No new comments can be posted.

GitHub Starts Mandatory 2FA Rollout Early for Some Users

Comments Filter:
  • by sirket ( 60694 ) on Monday March 13, 2023 @07:58AM (#63365987)

    Seriously, what possible reason is there _not_ to use 2FA on Github FFS?

    Github does not require you to use SMS for 2FA- you can use TOTP (e.g. Authy) or HOTP (e.g. Yubikey). So you get much better security, and no loss of anonymity.

    It's extra security, and with a FIDO device it requires no more effort than touching the key occasionally.

    • Seriously, what possible reason is there _not_ to use 2FA on Github FFS?

      It's annoying and i don't care about my fart app source code enough to put up with it.

      • by sirket ( 60694 )

        You find having to touch a Yubikey once every few months annoying?

        Just how fucking lazy are you?

        • What the point of the device if its only once every few month then? The attacker would just be able to attack in that wide of a time frame.
    • Re: (Score:2, Interesting)

      by StormReaver ( 59959 )

      It's incredibly annoying and overly complicated, it locks you into a service (or services) that can (at their discretion) lock you out of all sites that require it (by refusing to validate you for whatever reason), frequently requires a hardware token that requires a subscription, and provides only the illusion of security, and is just as susceptible to phishing attacks and man-in-the-middle attacks are regular ole passwords, and is now an extra moving part that can break down at any time and for any reason

      • by vadim_t ( 324782 )

        What? No.

        I've never seen such a service that requires a subscription, nor any kind of centralized service that can compromise all your secrets. My Github secret is held by Github, and my AWS secret is held by Amazon. If one becomes compromised, nothing happens to the other. It's a simple algorithm that barely takes any work to implement and doesn't need delegating to some third party vendor.

        2FA secrets are not easily phished, because it's actually hard for a normal person to get it. It's generally held by a

        • 2FA secrets are not easily phished, because it's actually hard for a normal person to get it.

          The problem is when you log into glthub.com and enter your one time password your account has just been compromised.

          All the apps give you is the computed result, which is only valid for a short timeframe.

          Most burglaries only last a few minutes.

          • by vadim_t ( 324782 )

            Okay? If your github account gets compromised, then it does, but that doesn't affect anything else.

        • by sirket ( 60694 )

          Parent is a moron who confused 2FA with either SSO or Password Managers.

          Seriously- go back and re-read their post but replace TOTP with SSO or Password Manager and suddenly what they're saying at least makes some sense.

          They're still flat-out wrong though.

      • it locks you into a service (or services) that can (at their discretion) lock you out of all sites that require it (by refusing to validate you for whatever reason)

        The ol' "What if these people actively decide to destroy the very purpose of their service!" excuse. At that point the risk is right up there with "But what if Github just decides to delete its entire service."

        Have you risk assessed the option of you being hit by an asteroid? Or your cat actually being a Russian agent waiting for remote instructions to eat your 2FA key? What if there are actually aliens living under ground and at any moment they can come and steal our phones?

        Your post is the worst kind of w

      • it locks you into a service (or services)

        WTF no it doesn't.

        frequently requires a hardware token that requires a subscription,

        WTF no it doesn't. Github supports TOTP which is an open SOFTWARE standard where you can use a variety of TOTP apps, your own code, or a variety of both closed and open hardware devices. Or you can use U2F keys, also an open standard not dependent on any particular manufacturer or subscription.

        TOTP, for example, creates a centralized database that can be hacked to get everyone's sing

      • by AmiMoJo ( 196126 )

        It's kind of incredible that people believe this in 2023.

        TOTP doesn't rely on a "centralized database". Every website gets a different code, that only works on that one website.

        Using U2F with a security key is best, because it uses public key crypto. Even if the website is hacked, all they get is a useless public key. It's useless because the browser passes the domain of the website requesting authentication to the key, and it becomes part of the challenge. If someone steals the database and sets up a fake

    • Seriously, what possible reason is there _not_ to use 2FA on Github FFS?

      The problem with 2FA as popularly deployed lies in two general buckets.

      1. Many popular 2FA methods offer zero resistance to authenticator impersonation rendering them useless against the single largest security threat.

      2. Multiple factors on Internet sites are rarely deployed as independent requirements when automated recovery procedures are included in the threat model. When a physical factor can be used to bypass a knowledge factor and vice-versa it stops being about 'A and B' and is functionally closer t

  • This nerd infrequently writes to GitHub and doesn't have a cellphone. Will it provide these temporary 2FA codes via email?
    • by dskoll ( 99328 ) on Monday March 13, 2023 @08:13AM (#63366011) Homepage

      You don't actually need a cell phone to get TOTP to work. Sure, it's most convenient to use a mobile device like a cell phone or tablet, but with a little bit of work you can get TOTP running on a laptop or PC. This obviously reduces security because now your TOTP secret is on the same device you're using to access GitHub, but it's a workable solution. Just keep your TOTP secrets in an encrypted volume.

    • by sirket ( 60694 )

      FFS- you can use TOTP codes via Authy running on the same system you are using to access GitHub in the first place, or you could use a password manager like 1Password that has built-in TOTP support, or you could use an HOTP FIDO token like a Yubikey.

      How the fuck do you contribute anything useful on Github without knowing anything about 2FA FFS?

  • by Meneth ( 872868 ) on Monday March 13, 2023 @08:59AM (#63366151)
    Recommendations from Wikipedia [wikipedia.org]: WinAuth [github.io], Authenticator [gnome.org] or KeeWeb [keeweb.info].
  • To me, it always seems like businesses are pushing the burden of security onto the users so they don't have to pay for it.
    They either use something insecure like SMS, forces you into buying multiple overpriced security dongles, or forces you to trust a device meant for podcasts and shower porn.
  • by jacks smirking reven ( 909048 ) on Monday March 13, 2023 @09:25AM (#63366227)

    I was always taught that these are the foundations of authentication; something you know, something you have, something you are.

    I always understood 2FA accomplishes the second which makes it a pretty easy win for security for a majority of people. If anonymity is so extremely crucial that even a hardware Yubiley is a high risk then maybe the internet isn't for you?

    Seeing so much pushback to 2FA here what are the alternatives? It sure feels like a world with only passwords no matter how strong just isn't cutting it anymore so we need something and for every flaw with 2FA I can see applying doubly to biometrics.

    Honest question, if 2FA is so risky what do we do to protect not just us tech geeks but the rest of the public that's as easy to grasp and in my.opinion effective at stopping account hijacks as 2FA without rewiring our entire infrastructure?

    • by vadim_t ( 324782 )

      Pay no attention to the pushback here. Slashdot mostly seems to have people whose knowledge fossilized somewhere around the 90s, and since then have never learned anything new. I can't think of any other way to explain the amount of comments that display a complete lack of technical knowledge about how 2FA works.

      The vast majority of people will comply with the new way of doing things because they have no other obvious option, the techies that actually kept with the times understand why it's a good idea, and

      • Pay no attention to the pushback here. Slashdot mostly seems to have people whose knowledge fossilized somewhere around the 90s, and since then have never learned anything new

        I have concerns that yet to be answered. All I am ever told is to take it in the ass and accept it.
        Maybe you can help.
        Why does everyone want everyone to use security keys. Those things are expensive and you are required two of them. Then you waste 2 USB ports using them. Then what do you do when you plug it in? Are you good to go? Or do you have to get up each time and every time you want to log into something? Or is it a spot check every so often. "STOP CITIZEN. PROVE YOUR VALUE OR ITS RAPE IN THE ASS PR

    • Something you are is good security for proving you are who you are... if it can't be faked or duplicated. Since you can't change it, if it can be, then it's potentially dangerous.

  • Some web sites and services insist on using mobile phone and SMS for two factor authentication.

    This is really a bad idea. SIM swapping does happen, and you lose your authentication device if that happens.

    On the other hand, Time Based One Time Passwords (TOTP) do not need to be tied to your mobile phone number.

    If you prefer the command line, install the package oathtool, and you are good.

    If you want an authenticator app on your phone, then use FreeOTP+.

    Better yet, put the hash in both of these and you have a

  • All 2fa accomplishes is that sooner or later, you will be locked out of your account with no way to get back in.

  • sign your commits noobs.

A physicist is an atom's way of knowing about atoms. -- George Wald

Working...