We’ve all known for ages now that passwords don’t provide good enough security. That, however, hasn’t stopped us from still relying on passwords for security. They’re the lowest common security denominator. The top developer site GitHub has had enough second-rate security. So, as of Aug. 13, GitHub blocked the use of account passwords when authenticating Git operations.
Instead, Git now requires you to use two-factor authentication (2FA) factors to use its core Git services. These factors can include personal access tokens; SSH keys, for developers; or OAuth or GitHub App installation tokens for integrators.
People aren’t happy about this. To them, I can only say, “Get over it.”
It’s not like GitHub sprang this as a surprise on us. GitHub warned this was coming eight months ago. I quote: “Beginning Aug. 13, 2021, we will no longer accept account passwords when authenticating Git operations on GitHub.com.”
People being people, however, there’s still a lot of grumbling. Seriously, it’s not that hard.
First, enable 2FA for your GitHub account. Just by doing this alone, you’ll block a wide range of attacks.
2FA works by requiring you to have two out of three kinds of credentials to access an account. These are:
- Something you know or can be given. Commonly this is a one-time PIN.
- Something you have, such as a secure ID card, a cellular phone, or a hardware security key.
- Something you are, these are biometric factors such as a fingerprint, retinal scan, or voice print.
GitHub gives you numerous options for using 2FA. These include:
- Physical security keys, such as YubiKeys.
- Virtual security keys built-in to your personal devices, such as laptops and phones that support WebAuthn-enabled technologies. These include Windows Hello, Apple’s Face ID/Touch ID, and Google’s built-in Chrome WebAuthn.
- Time-based One-Time Password (TOTP) authenticator apps such as Google Authenticator, Twilio Authy 2-Factor Authentication, and Microsoft Authenticator.
- And, of course, texting, aka Short Message Service (SMS).
While texting is available, GitHub strongly recommends you use security keys or TOTPs instead. That’s because there are way too many ways to break text-based 2FA. These include SIM swapping, text-spoofing, phishing, and security holes in the SS7 network, which telecoms use to manage calls and texts between phone numbers.
GitHub is fondest of the emerging WebAuthn secure authentication standard. It’s used, to one extent or the other, in all the modern 2FA methods except for SMS.
The company also favors the use of YubiKeys. I like YubiKeys myself. After securing your account with one, there’s much more you can do with them. For example, you can digitally sign your git commits using a GPG key stored on your security key. GitHub provides a detailed guide for setting up your YubiKey with GitHub for commit verification and for SSH-based authentication. GitHub has also partnered with Yubico to create a step-by-step video guide to help you enable your security key for SSH keys and commit verification.
Last, but not least, GitHub is offering branded YubiKey 5 NFC and YubiKey 5C NFC keys for sale. They’re not cheap, ranging in price from $45 to $55 but they last for years and make securing logging in not just to GitHub but all your other secured sites and services easy as well.
Moreover, GitHub isn’t the only company that wants you to give up passwords. Its parent company Microsoft wants to see the end of passwords sooner rather than later. As Alex Simons, Microsoft Identity Program Management’s Corporate VP said we’ve “been working hard this year in making passwords a thing of the past.”
Considering the endless security problems that can be traced back to passwords that day can’t come soon enough.