GitHub urges users to enable 2FA after going passwordless

GitHub urges its user base to toggle on two-factor authentication (2FA) after deprecating password-based authentication for Git operations.

“If you have not done so already, please take this moment to enable 2FA for your GitHub account,” the company’s Chief Security Officer Mike Hanley said.

“The benefits of multifactor authentication are widely documented and protect against a wide range of attacks, such as phishing.”

Hanley recommends using one of several 2FA options available on GitHub, including physical security keys, virtual security keys built into devices such as phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.

While SMS-based 2FA is also available, GitHub urges users to choose security keys or TOTPs wherever possible since SMS is less secure given that threat actors can bypass or steal SMS 2FA auth tokens.

GitHub also provides a step-by-step video guide on how you can enable your security key for SSH keys and Git commit verification.

Why is 2FA important?

Enforcing passwordless authentication via Git operations is important because it increases GitHub accounts’ resilience against takeover attempts by preventing attackers’ attempts to use stolen credentials or reused passwords to hijack accounts.

As Alex Weinert, Microsoft’s Director of Identity Security, said a couple of years ago, “your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Weinert also added that the “use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”

Google researchers also commented that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.”

At the same time, “zero users that exclusively use security keys fell victim to targeted phishing.”

GitHub’s efforts to secure users’ accounts

GitHub reminded users last week that account passwords will no longer be accepted for authenticating Git operations starting with August 13.

The change was first announced in July 2020 when GitHub said that authenticated Git operations would require using SSH key or token-based authentication.

GitHub also disabled password authentication via the REST API in November 2020 and added support for securing SSH Git operations using FIDO2 security keys in May 2021.

Account security was also improved over the years by adding two-factor authentication, sign-in alerts, verified devices, blocking the use of compromised passwords, and WebAuthn support.