You don’t need to provide a phone number to enable 2FA. GitHub supports OATH applications that generate one-time codes and webauthn so you can use it with a yubikey and not bother with pesky codes.
I wasn't aware that was configurable (we were told SMS or Gauthenticator app), I wanted just a OTP code. I'd be delighted if that's really available. I'll chase it up with our admin. Thanks
Often many 2-factor setup screens will directly reference GAuthenticator, but it is just a TOTP app so you can use any TOTP app with a GAuthenticator qr code, and you can usually get the secret text for copy paste to a desktop TOTP in case you can't scan a qr code, but i have seen some apps that don't make that easy. There is desktop software that will read qr codes from the screen.
In Google's Workspace Admin just got to:
Security -> Authentication -> 2-step verification
Then choose "Any except verification codes via text, phone call". This allows them to use TOTP, a security key such as a usb key or if they have a phone like a Pixel or iPhone that has a security key built in, or TOTP. They can also approve logins from another device that is already logged in, and can generate long-lived backup codes.
You can also allow only a security key, no TOTP or prompts and if, you do that, you can disable backup codes as well.
This is a step in the right direction. Although if i’m not mistaken the case for somebody stealing your .ssh directory with keys and contributing to GitHub over SSH still stands.
I guess it’d be hard to require everybody to password protect their ssh keys.
I suspect that if your main branch was protected, an attacker would be restricted to branches that require active access to automatically get into a distribution.
The vast majority of attacks these days are not via compromised desktop environments. They are from phishing, password reuse + third party password compromises, and weak passwords.
Its these most common attacks that Github is addressing with this change.
A quick off topic question related to 2FA. If an employee is required to complete the 2FA to access to the company's system, is the company responsible to provide the employee a necessary device (either phone or hardware token) to complete the 2FA?
In what way? Morally and ethically, I think you're going to get a resounding yes from people here. Legally, I very much doubt it, but I am not a lawyer.
Legally. In my opinion, if something is required for a worker to finish the job, the employer is obligated to provide it for free. I could be wrong. Curious to know other people's thought.
I’m not sure what the laws are, but it would seem pretty silly to fire an engineer over the cost of a device like this. Of course it is important that you don’t have a cellphone, from your employer’s point of view.
Or “I don’t bring it to work, I want to focus on your issues 100% no distractions, boss :)”
There are much better alternatives than buying a smartphone if all you want to provide is a 2FA device. Yubikey is one alternative, as a consumer you can buy it for ~50 EUR but I'm sure if you buy 100+ for employees, you can get some sort of deal with them.
We actually wanted to give company phones to the staff for this purpose among others but there was a rather big pushback, people didn't wanted another devices to carry.
If the company provides employees with a key to access the office, are they obliged to provide the employee with a keyring on which to put it? A pocket to keep it in? Or are they able to assume that the employee probably would prefer to keep the key on their own keyring, in their own pocket?
I feel the same about 2FA tokens. As a matter of convenience I install the tokens my employer gives me on my personal phone because it makes it easy for me to keep them available at all times.
If for some reason I was unable or unwilling to do so, though, I might expect to be allowed to expense a yubikey.
Maybe I don't understand what "contribute code" means... Do I only "contribute code" if I open a PR on a repo I don't own? Seems like a good option to allow people to enable, but forcing it is an unnecessary overreach.
I interpret it as: your account publishes code bits in any capacity, as opposed to a read-only account that only pulls and participates in social discussions.
GitHub is also one of the few big sites that support Passkeys for 2FA. You can use your Trusted Platform Module, Yubikey, or any Secure Enclave equipped Mac to 2FA.
I also learned that it's possible to create an ECDSA key pair within the Secure Enclave, and it is only possible to extract the public key, or to authenticate with it, including when you SSH to GitHub. Your private key is never on disk.
> GitHub is also one of the few big sites that support Passkeys for 2FA.
Not yet, it seems? "Lastly, we’re already testing passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. Keep an eye on this space for when this functionality is ready for you."
Passkeys are WebAuthn "discoverable credentials", meaning they contain a user identifier as well as a private key for signing.
When a site fully supports passkeys, you are able to sign in to your account without having to enter a username, just by using your site-specific passkey (e.g. https://www.passkeys.io).
GitHub's current implementation is based on pre-passkey WebAuthn that allows you to add a non-discoverable credential as 2nd factor. To sign in, you still need to enter your username, your password, and then get prompted for your WebAuthn credential, which can be stored on a physical security key, but also on your devices via the platform authenticator capability (Windows Hello, Touch ID, ...).
So, while GitHub's current 2nd-factor WebAuthn implementation (as awesome as it is) is not "passkey", I'm sure they will be among the first bigger websites to launch full passkey capabilities on their login page pretty soon.
> Enroll second factors. Having more accessible 2FA methods is important to ensure that you always have access to your account. You can now have both an authenticator app (TOTP) and an SMS number registered on your account at the same time. While we recommend using security keys and your TOTP app over SMS, allowing both at the same time helps reduce account lock out by providing another accessible, understandable 2FA option that developers can enable.
Nope, useless initiative if they allow people to use SMS codes. Sim-hijacking is so easy that I'd wager not having any 2FA is more secure than offering SMS 2FA, as people will also be able to social engineer Microsoft to give access to a GitHub account if they are the "telephone number owner", as long as they can prove they can solve the SMS 2FA.
I despise 2FA with a passion. Such a PITA. I already use separate, unique, long, random passwords for every site. And I don't even keep them on my phone, just on my desktop.
Maybe I should just self-host my few little open source projects...
If you already have unique, long, random passwords, I'm guessing you're using a password manager? Why not use the password manager for the 2FA as well?
Obviously, if your password manager gets broken into, you're fucked. But if the site only have the issue of exposing passwords, you'll be safe.
This seems a lot like a Microsoft-ism. It's being thrust down your throat and continually seems to be part of an effort to make their lives easier at our inconvenience.
Maybe you should host it yourself, this is not for the hardcore average HN user, it's for the public, the students that still use weak passwords ( sometimes the same on many websites ), people still trying to learn things, if this makes 90% of the accounts secure then it's a success !
No, that's not it at all. Github's blog post is clear that it only applies to developers "who contribute code", and the point of this is "securing the supply chain".
So yes, this is for the hardcore user and not for the students and people still trying to learn things. The latter are not part of the supply chain.
The code I upload to github is not part of "the software supply chain". Adding 2fa makes it more likely that I will lose access to my account. There is no way I'm going to participate in this. I'm especially not giving github my phone number or in any way associating my mobile device with their website.
I'm familiar with 2fa. It increases my risk and I'm not using it. I said I'm especially not using my phone. I did not say that 2fa = associating my mobile device.
It's pretty easy to add 2FA with almost no detectable increase in the risk of losing one's account.
Pick TOTP as your 2FA method and save the TOTP secret, which you can get on the TOTP setup page at Github by clicking the thing that says you want to use a text code instead of scanning a QR code.
It will give you a short text string. Save that string.
When you need the TOTP code for Github, use oathtool [1] or something similar. For oathtool:
oathtool --totp -b <aforementioned_string>
will give you the current TOTP code. The -b flag tells it the code is in base32. I think that is what Gitgub uses. If they use hex omit -b.
It seems like centralizing the idea of a “GitHub account” as a sort thing that needs to be secured and imbues a commit with trustworthiness. But wouldn’t it make more sense to use the already existing functionality to sign commits, with keys you control, if this is a real concern?
Prefer built in git functionality over GitHub-isms, right?
Last time I read through the T&C, they say you're not allowed to have multiple free accounts, but if you're paying for it, you should be fine. And if your employer requires you to have a GitHub account, they should pay for one for you to use.
I actually like sms 2fa. It all depends on your threat model of course.
I can lose my authenticator app, printed backup code, my hardware key but I'd still have a way to get access to my account back.
Infact I was on the "sms is unsafe" bandwagon until I nearly lost access to my Google Account.
Never again. Sim jacking is not a real world issue for most people. I'm not special enough that someone, especially someone who has the means to do sim jacking to want access to my accounts.
People do what you are comfortable with, if you are that important, I'm sure whoever wants your stuff will find other ways to get it.[1]
I hate the 2FA story, they shouldn't let you enable it unless you enroll at least two different factors. One primary and one for recovery.
The only case where it should be fine to have a single second factor is with your employer, where you have other means to authenticate (i.e. likely your boss knows you and can vouch for you on a 2FA reset).
Also making it mandatory for things that you may really don't care about is overkill.
I would prefer to have ID verification, rather than an anonymous account, for account recovery.
You lose the second factor, and you can re-authenticate by, let's say, making a small payment with a credit card in your name plus some photo id.
I gotta say, I don't believe most people here. When it comes right down to it, learning the habit of plugging your yubikey in when you sit down, is much easier than switching git hosting providers and all associated migrations that might not even ... Be possible outside the GitHub ecosystem.
I say this as someone with intentions to leave GitHub, but that has more to do with them ruining nixpkgs contribution history by MAKING ENTIRE ISSUES AND PULL REQUESTS UNVIEWABLE because a single banned user participated in them years ago. Love you GitHub, brilliant.
Another quick off topic question related to 2FA. If students are required to complete the 2FA to access to university's learning resources, is the university responsible to provide a hardware token if some students cannot afford/use the mobile phone to complete the 2FA?
89 comments
[ 3.3 ms ] story [ 156 ms ] threadI wonder if I will be able to connect and pull from a private repository without 2FA. Otherwise my personal web server setup breaks.
Per-repository deploy tokens should function for that purpose.
In Google's Workspace Admin just got to:
Security -> Authentication -> 2-step verification
Then choose "Any except verification codes via text, phone call". This allows them to use TOTP, a security key such as a usb key or if they have a phone like a Pixel or iPhone that has a security key built in, or TOTP. They can also approve logins from another device that is already logged in, and can generate long-lived backup codes.
You can also allow only a security key, no TOTP or prompts and if, you do that, you can disable backup codes as well.
Obviously, but I don't think they did good enough. Why enable SMS 2FA at all? It's horribly insecure.
I guess it’d be hard to require everybody to password protect their ssh keys.
Its these most common attacks that Github is addressing with this change.
See the entire food delivery industry
Or “I don’t bring it to work, I want to focus on your issues 100% no distractions, boss :)”
If we decide to go with a BYOD or other telephony option, then I'm going to push for standardized 2FA hardware devices.
Hardware tokens cost <$50, compared to what companies pay employees on a monthly basis it's peanuts.
I feel the same about 2FA tokens. As a matter of convenience I install the tokens my employer gives me on my personal phone because it makes it easy for me to keep them available at all times.
If for some reason I was unable or unwilling to do so, though, I might expect to be allowed to expense a yubikey.
Not yet, it seems? "Lastly, we’re already testing passkeys internally, which we believe will combine ease of use with strong, phishing-resistant authentication. Keep an eye on this space for when this functionality is ready for you."
[1] https://github.com/settings/security
Passkeys are WebAuthn "discoverable credentials", meaning they contain a user identifier as well as a private key for signing.
When a site fully supports passkeys, you are able to sign in to your account without having to enter a username, just by using your site-specific passkey (e.g. https://www.passkeys.io).
GitHub's current implementation is based on pre-passkey WebAuthn that allows you to add a non-discoverable credential as 2nd factor. To sign in, you still need to enter your username, your password, and then get prompted for your WebAuthn credential, which can be stored on a physical security key, but also on your devices via the platform authenticator capability (Windows Hello, Touch ID, ...).
So, while GitHub's current 2nd-factor WebAuthn implementation (as awesome as it is) is not "passkey", I'm sure they will be among the first bigger websites to launch full passkey capabilities on their login page pretty soon.
- SMS
- Mobile app
What if someone doesn't have a phone?
Nope, useless initiative if they allow people to use SMS codes. Sim-hijacking is so easy that I'd wager not having any 2FA is more secure than offering SMS 2FA, as people will also be able to social engineer Microsoft to give access to a GitHub account if they are the "telephone number owner", as long as they can prove they can solve the SMS 2FA.
Sad to see, but not surprising.
Maybe I should just self-host my few little open source projects...
Obviously, if your password manager gets broken into, you're fucked. But if the site only have the issue of exposing passwords, you'll be safe.
Why suggest an extra step to them if they're claiming it's unnecessary? Can you at least try to explain why you think it adds value?
I thought I already did? "But if the site only have the issue of exposing passwords, you'll be safe." is not clear enough?
Mostly the built-in Mac keychain, stored locally, no iCloud.
Of course. I have encrypted offsite backups, as one should. Doesn't everyone?
So yes, this is for the hardcore user and not for the students and people still trying to learn things. The latter are not part of the supply chain.
There are numerous devices you can use for TOTP 2FA, your computer, a hardware device and even your browser via authn.
Pick TOTP as your 2FA method and save the TOTP secret, which you can get on the TOTP setup page at Github by clicking the thing that says you want to use a text code instead of scanning a QR code.
It will give you a short text string. Save that string.
When you need the TOTP code for Github, use oathtool [1] or something similar. For oathtool:
will give you the current TOTP code. The -b flag tells it the code is in base32. I think that is what Gitgub uses. If they use hex omit -b.[1] https://www.nongnu.org/oath-toolkit/oathtool.1.html
It seems like centralizing the idea of a “GitHub account” as a sort thing that needs to be secured and imbues a commit with trustworthiness. But wouldn’t it make more sense to use the already existing functionality to sign commits, with keys you control, if this is a real concern?
Prefer built in git functionality over GitHub-isms, right?
Last time I read through the T&C, they say you're not allowed to have multiple free accounts, but if you're paying for it, you should be fine. And if your employer requires you to have a GitHub account, they should pay for one for you to use.
This is Microsoft. Embrace (git) and extend (gittub-isms).
I can lose my authenticator app, printed backup code, my hardware key but I'd still have a way to get access to my account back.
Infact I was on the "sms is unsafe" bandwagon until I nearly lost access to my Google Account.
Never again. Sim jacking is not a real world issue for most people. I'm not special enough that someone, especially someone who has the means to do sim jacking to want access to my accounts.
People do what you are comfortable with, if you are that important, I'm sure whoever wants your stuff will find other ways to get it.[1]
[1]https://xkcd.com/538/
The only case where it should be fine to have a single second factor is with your employer, where you have other means to authenticate (i.e. likely your boss knows you and can vouch for you on a 2FA reset).
Also making it mandatory for things that you may really don't care about is overkill.
I would prefer to have ID verification, rather than an anonymous account, for account recovery.
You lose the second factor, and you can re-authenticate by, let's say, making a small payment with a credit card in your name plus some photo id.
What happens when my phone is eventually stolen? I must now depend on the goodwill of morose carriers?
I say this as someone with intentions to leave GitHub, but that has more to do with them ruining nixpkgs contribution history by MAKING ENTIRE ISSUES AND PULL REQUESTS UNVIEWABLE because a single banned user participated in them years ago. Love you GitHub, brilliant.
I will not use 2FA, thus my github account goes into the trash bin.