Security news that informs and inspires

GitHub Drops Passwords in Favor of 2FA

The future may indeed be weird, but it’s also likely going to be more secure, as more and more platforms and services move away from the use of passwords for primary authentication. The latest major service to make the leap is GitHub, which now requires a form of strong authentication for any Git operations on the platform.

The change means that developers and integrators will need to use physical security keys, TOTP 2FA apps, or another form of strong authentication in order to run operations on GitHub. The company announced plans to make this move earlier this year, and the change went into effect last week. Although there are several supported options for 2FA on the platform, the company is encouraging users to opt for physical security keys if at all possible. Hardware security keys provide the best current protection against phishing and account takeover attacks, as they require the individual to have both credentials and physical access to the key in order to authenticate.

“In December, we announced that beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations and will require the use of strong authentication factors, such as a personal access token, SSH keys (for developers), or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on,” GitHub CISO Mike Hanley said.

“The strongest methods widely available are those that support the emerging WebAuthn secure authentication standard. These methods include physical security keys as well as personal devices that support technologies such as Windows Hello or Face ID/Touch ID. We are excited and optimistic about WebAuthn, which is why we have invested early and will continue to invest in it at GitHub.

WebAuthn has emerged as one of the key building blocks for making 2FA simpler and easier to use and it has found its way into a number of products and apps. Rather than using passwords for authentication, WebAuthn allows sites, apps, and services to integrate strong authentication options such as hardware keys, Touch ID/FaceID, Windows Hello, and others into their authentication flows. All of the major browsers support WebAuthn and it’s part of the FIDO2 specification, so it’s supported in the major hardware security keys, too.

GitHub’s move comes at a time when supply chain attacks, especially those against software, have become a serious threat, both for major providers and for developers of open source projects. One vector for those attacks is taking over the account of a developer with commit privileges on a target project and then adding malicious code. This could have serious downstream effects if a library or project that is incorporated into many other apps was compromised, and there have been a number of examples in the past.

The most recent incident involved an attacker gaining access to and modifying the commercial Codecov Bash Uploader script. The attacker had access to the script for more than two months and may have had access to customers’ environments during that time.

“The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script,” Jerrod Engelberg, CEO of the company said in a statement.