Github’s 2FA Move Was Long Overdue The New Stack – thenewstack.io

On May 4, GitHubs CSO Mike Hanley announced that all users who upload code to the site must enable one or more forms of two-factor authentication (2FA) by the end of 2023 or leave. Its about time!

In case youve been asleep for the last few years, software supply chain attacks have become commonplace. One of the easiest ways to protect it is to use 2FA. 2FA is simple. Besides using a username/password pair to identify yourself you also use a second factor to prove your identity.

Under the surface, 2FA gets complicated. They rely on one of three standards: HMAC-based One Time Password (HOTP). Time-based One-Time Password (TOTP), or the FIDO Alliances FIDO2 Universal 2nd Factor (U2F) standard. But, you dont need to worry about that as a developer, unless security, authentication, and identity are your thing. You just need to, as Hanley puts it, enable one or more forms of 2FA.

Its not that freaking hard. Still, today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA. Why are developers so stubbornly stupid?

As Mark Loveless, a GitLab senior security researcher, put it recently, The main reason for low adoption of a secondary authentication factor is that turning on any multi-factor authentication (MFA) is an extra step, as it is rarely on by default for any software package. And we do so hate to take even one extra step.

Mind you, smarter developers on bigger projects do get it. Patrick Toomey, GitHubs director of product security engineering, recently observed that Open source maintainers for well-established projects (more than 100 contributors) are three to four times more likely to make use of 2FA than the average user. That comes as no surprise because larger and more popular projects appreciate their position and responsibility in the open source software supply chain. In addition, these projects often become GitHub organizations, with the ability to manage access to their repositories using teams and set security policies, including a requirement to enable 2FA.

Another factor in people refusing to get a 2FA clue is simple ignorance. For example, a discussion on the Reddit programming subreddit on the issue showed many people assume that 2FA is either hard (Spoiler: Its not) or its not that secure because if uses a phone. True, 2FA that uses texting is relatively easy to break. Just ask Jack Dorsey, Twitters founder. Dorseys own Twitter account was hijacked thanks to a SIM swap attack.

But the important point here is you dont need to use your texting, aka Short Message Service (SMS). For 2FA, GitHub explicitly tells you that can also use:

Its not that hard, people! It really isnt. And, as for those who whine, This will kill projects! any project thats killed because its developers cant do basic 2FA security is better off dead.

For too long in open source communities, weve been too inclined to think that hackers only attack proprietary programs. As James Arlen, Aiven CISO (chief information security officer), observed, The reality of open-source software development over the last 30+ years has been based on a web of trust among developers. This was maintained through personal relationships in the early days but has grown beyond the ability of humans to know all of the other humans. With GitHub taking the step of providing deeper authentication requirements on developers, it will dramatically reduce the likelihood of a developer suffering an account takeover and the possibility of a violation of that trust. In short, Angel Borroy, a Hyland developer evangelist, told me, bad guys can see open source code too.

GitHub is giving you until 2023. Thats much too kind of them. Your GitHub accounts being hijacked is a real and present danger. Adopt 2FA today. Adopt 2FA not only on GitHub but on all your code repositories and online services. Its the best way you can protect yourself and your code from attackers today.

Featured image Ed HardieonUnsplash.

Here is the original post:
Github's 2FA Move Was Long Overdue The New Stack - thenewstack.io

Related Posts
This entry was posted in $1$s. Bookmark the permalink.