Cloud Services / Security / Software Development

Github’s 2FA Move Was Long Overdue

10 May 2022 7:16am, by

On May 4, GitHub’s CSO Mike Hanley announced that all users who upload code to the site must enable one or more forms of two-factor authentication (2FA) by the end of 2023… or leave. It’s about time!

In case you’ve been asleep for the last few years, software supply chain attacks have become commonplace. One of the easiest ways to protect it is to use 2FA. 2FA is simple. Besides using a username/password pair to identify yourself you also use a second factor to prove your identity.

Three Standards

Under the surface, 2FA gets complicated. They rely on one of three standards: HMAC-based One Time Password (HOTP). Time-based One-Time Password (TOTP), or the FIDO Alliance‘s  FIDO2 Universal 2nd Factor (U2F) standard. But, you don’t need to worry about that as a developer, unless security, authentication, and identity are your thing. You just need to, as Hanley puts it, “enable one or more forms of 2FA.”

Stubborn, Ignorant Developers

It’s not that freaking hard. Still, “today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA.” Why are developers so stubbornly stupid?

As Mark Loveless, a GitLab senior security researcher, put it recently, “The main reason for low adoption of a secondary authentication factor is that turning on any multi-factor authentication (MFA) is an extra step, as it is rarely on by default for any software package.” And we do so hate to take even one extra step.

Mind you, smarter developers on bigger projects do get it. Patrick Toomey, GitHub‘s director of product security engineering, recently observed that “Open source maintainers for well-established projects (more than 100 contributors) are three to four times more likely to make use of 2FA than the average user.” That comes as no surprise because “larger and more popular projects appreciate their position and responsibility in the open source software supply chain. In addition, these projects often become GitHub organizations, with the ability to manage access to their repositories using teams and set security policies, including a requirement to enable 2FA.”

Another factor in people refusing to get a 2FA clue is simple ignorance. For example, a discussion on the Reddit programming subreddit on the issue showed many people assume that 2FA is either hard (Spoiler: It’s not) or it’s not that secure because if uses a phone. True, 2FA that uses texting is relatively easy to break. Just ask Jack Dorsey, Twitter’s founder. Dorsey’s own Twitter account was hijacked thanks to a SIM swap attack.

Not Just SMS

But the important point here is you don’t need to use your texting, aka Short Message Service (SMS). For 2FA, GitHub explicitly tells you that can also use:

  • Physical security keys, such as YubiKeys
  • Virtual security keys built-in to your personal devices, such as laptops and phones that support WebAuthn-enabled technologies, like Windows Hello or Face ID/Touch ID
  • TOTP authenticator apps, such as Authy, the open source, FreeOTP; Google Authenticator, or Microsoft Authenticator.

It’s Not That Hard

It’s not that hard, people! It really isn’t. And, as for those who whine, “This will kill projects!” — any project that’s killed because its developers can’t do basic 2FA security is better off dead.

For too long in open source communities, we’ve been too inclined to think that hackers only attack proprietary programs. As James Arlen, Aiven CISO (chief information security officer), observed, “The reality of open-source software development over the last 30+ years has been based on a web of trust among developers. This was maintained through personal relationships in the early days but has grown beyond the ability of humans to know all of the other humans. With GitHub taking the step of providing deeper authentication requirements on developers, it will dramatically reduce the likelihood of a developer suffering an account takeover and the possibility of a violation of that trust.” In short, Angel Borroy, a Hyland developer evangelist, told me, “bad guys can see open source code” too.

GitHub is giving you until 2023. That’s much too kind of them. Your GitHub accounts being hijacked is a real and present danger. Adopt 2FA today. Adopt 2FA not only on GitHub but on all your code repositories and online services. It’s the best way you can protect yourself and your code from attackers today.

Featured image Ed Hardie on Unsplash.