On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
GitHub is central to the software supply chain, and securing the software supply chain starts with the developer. Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developers' accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain.
[...] If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You'll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We'll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You'll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited.
So, what if you're not in an early enrollment group but you want to get started? Click here and follow a few easy steps to enroll in 2FA.
[...] You can choose between TOTP, SMS, security keys, or GitHub Mobile as your preferred 2FA method.
Recent GitHub security incidents:
GitHub says hackers cloned code-signing certificates in breached repository(1/30/2023)
Slack's private GitHub code repositories stolen over holidays(1/5/2023)
Okta's source code stolen after GitHub repositories hacked(12/21/2022)
(Score: 1, Insightful) by Anonymous Coward on Monday March 13 2023, @10:57AM (12 children)
Do you trust Microsoft, and especially the Googley nu-Microsoft, not to misuse the 2FA data in the same fashion other large advertising driven entities have?
(Score: 4, Informative) by PiMuNu on Monday March 13 2023, @11:42AM (10 children)
I was trying to figure out how TOTP works. The documentation is here:
https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication [github.com]
But it sounds like they are leaning on user creating an account for another web service (which has TFA?? who knows) that does the second factor. In any case I don't really see that this is any more secure than ssh keys; presumably as with an ssh key, the best that can be done is install "some application" on my local machine; that requires me to enter a local password to unlock a one time password that I send to github. An attacker who pwns my local machine can still attack my github account as previously.
(Score: 4, Informative) by fab23 on Monday March 13 2023, @12:23PM (7 children)
TOTP (Time-Based One-Time Password) is an open standard defined in RFC 6238 [rfc-editor.org] (Wikipedia [wikipedia.org]).
If you are old enough, you may remember the RSA SecurID [wikipedia.org] hardware token. Now we have smartphones and you can use such things in Software, e.g. on iOS I like OTP Auth [apple.com], but there are others like Authy or Google Authenticator. For Android you may also find some open source Apps. According to friends there are also cli tools available.
I highly recommend to save the initial presented QR code image in a secure place, as this can be used if you need to initialize on another phones. Some of the above mention TOTP Apps support an export / backup of tokens. Depending on the implementation a regular backup and restore to another smartphone may not work, as it kind is bound to a hardware ID of the device.
(Score: 2, Insightful) by janrinok on Monday March 13 2023, @12:34PM (3 children)
Doesn't this mean that Microsoft get your smartphone/cell phone number too? I am not giving Microsoft my smartphone number.
(Score: 3, Informative) by fab23 on Monday March 13 2023, @12:38PM
At Github you have multiple options for 2FA, SMS (text) is one of them, but with TOTP they do not need to have your phone number.
As far as I remember so far, only for the Google (Gmail) account you are forced to first add a phone number (can be mobile or land line) before you can activate TOTP.
(Score: 2) by fab23 on Monday March 13 2023, @12:46PM
Some more details, when you activate TOTP in your account, you are presented with a QR code (which actually is just a string of "random" characters). That you need to scan with your chosen TOTP App. Don't forget to also save the QR image, or make a screen shot. Then you need to enter the code presented on your App into the Website and your 2FA is activated. Next time you log in you will be asked for username and password as usual and then also for the current code the TOTP App shows (they usually change every minute).
(Score: 2) by Beryllium Sphere (r) on Monday March 13 2023, @06:10PM
If you pick SMS as your authentication choice, but they offer many others and I don't know anyone who recommends SMS if there's an alternative. NIST has pointed out the drawbacks in detail.
(Score: 3, Informative) by fab23 on Monday March 13 2023, @12:35PM
Checked my notes, also KeePassXC [keepassxc.org] could be use to store the TOTP code, see in FAQ the KeePassXC allows me to store my TOTP secrets. [keepassxc.org].
So there is no need for a smartphone.
(Score: 2) by PiMuNu on Monday March 13 2023, @01:00PM
Thanks. Again, I don't see how this is much different to a private/public password as in ssh.
(Score: 1, Interesting) by Anonymous Coward on Monday March 13 2023, @05:39PM
I am old enough to remember the RSA SecureID token. I felt somewhat important getting one, and it also made me feel a bit more confident about my job. I fully realize there was no logic to that. I'm sure plenty of people have been laid off the day after they got a token, but it was hard not to feel like I was a member of the club and would be OK for a while.
(Score: 2) by Beryllium Sphere (r) on Monday March 13 2023, @06:15PM
It's to protect against phishing or credential stuffing.
Though even if your machine is compromised, requiring a hardware token in the USB slot or a rotating code from an authenticator app on your phone will save the day.
(Score: 2) by Beryllium Sphere (r) on Monday March 13 2023, @06:29PM
The token comes from a local phone app, but I don't know whether or not those work without a cloud account for backup.
(Score: 2) by Beryllium Sphere (r) on Monday March 13 2023, @06:22PM
Please walk me through how someone could "misuse" the one-time token from my Yubikey.
Wait, maybe I understand. You're looking at SMS "authentication", and don't like the idea of giving an evil company your cell number? That makes sense. Though using SMS for 2FA does not make sense even from a security standpoint.
(Score: 1, Troll) by SomeGuy on Monday March 13 2023, @12:15PM (4 children)
Let me guess, it requires a glorious cell phone, and people who use proper landlines are expected to die because marketing can't advertise to them?
(Score: 1, Informative) by Anonymous Coward on Monday March 13 2023, @12:29PM
Same comment here. I don't have a cell phone (my partner does--I use hers a few times a year). Better voice quality of the land line is the key for me.
One possible workaround -- if you have Gmail (even a throwaway account), you also have Google Voice...which does SMS/texting. I've generally found it to be OK, but every now and then a text isn't received or delivered (and sometimes it comes in hours after it was sent), no idea why the reliability isn't 100%, but in my experience it's not.
In my case I set up Voice when it was new-ish and have a separate phone number offered by Google for free. But I think you can also tie it to an existing number?
(Score: 3, Informative) by inertnet on Monday March 13 2023, @01:21PM
You should be able to use a desktop authenticator app for 2FA.
(Score: 2) by istartedi on Monday March 13 2023, @05:33PM
Or if you have a feature phone, it won't work without an "app" which isn't supported on my device (although believe it or not, I think mine technically does but KaiOS is not a profitable target).
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Beryllium Sphere (r) on Monday March 13 2023, @06:26PM
According to the summary,
"You can choose between TOTP, SMS, security keys, or GitHub Mobile as your preferred 2FA method."
SMS is so bad that I question their decision to even offer it as an option:
https://www.google.com/search?q=sms+2fa+attack+OR+vulnerable+OR+insecure&rlz=1CAEVJI_enUS977US977&oq=sms+2fa+attack+OR+vulnerable+OR+insecure&aqs=chrome..69i57j0i546l4.14221j0j7&sourceid=chrome&ie=UTF-8 [google.com]
(Score: 5, Interesting) by Ingar on Monday March 13 2023, @12:47PM
Some time ago, Microsoft forced all Minecraft players to convert their Mojang account to a Microsoft account.
When I tried to do so, they promptly locked my Microsoft account and demanded a phone number to unlock it.
So, no more Minecraft and no more Visual Studio for me.
Since Microsoft acquired Github, I've been moving my repositories back to other hosts.
I guess I can safely delete my Github account now.
Also, no Windows 11 for me.
The future looks bright and free of Microsoft.
(Score: 2) by stormreaver on Wednesday March 15 2023, @01:09AM
I absolutely hate the abysmal inferno of 2FA. Bottom line: it's incredibly inconvenient, and provides only the illusion of security. In reality, it's a disaster waiting to happen.