GitHub’s Hardcore Plan to Roll Out Two-Factor Authentication (2FA)
you heard that Advice for years: Enable two-factor authentication wherever it’s offered. It has long been clear that simply using a username and password to secure digital accounts is not enough. However, with the addition of an additional authentication “factor” – like a randomly generated code or a physical token – the keys to your kingdom are much more difficult to guess or steal. And the stakes are high for both individuals and institutions looking to protect their valuable and sensitive networks and data from targeted hacker attacks or opportunistic criminals.
But for all its benefits, it often takes some tough love to get people to actually turn on two-factor authentication, often known as 2FA. At the Black Hat security conference in Las Vegas yesterday, John Swanson, director of security strategy at GitHub, presented results from the dominant software development platform’s two-year effort to research, plan, and then begin adoption of mandatory two-factor for all accounts. And the effort is becoming more urgent as attacks on the software supply chain proliferate and threats to the software development ecosystem increase.
“There’s been a lot of talk about exploits, zero days, and build pipeline compromises when it comes to the software supply chain, but at the end of the day, the easiest way to compromise the software supply chain is to compromise a single developer or engineer .” Swanson told WIRED ahead of his conference presentation. “We think 2FA is a really powerful way to prevent that.”
Companies like Apple and Google have made concerted efforts to move their massive user bases toward 2FA, but Swanson points out that companies with a hardware ecosystem like phones and computers have more options, in addition to software, to help customers make the transition . Web platforms like GitHub need to use tailored strategies to ensure that the two-factor method isn’t too onerous for users around the world, who all have different circumstances and resources.
For example, receiving randomly generated codes for two-factor text messages via SMS is less secure than generating these codes in a dedicated mobile app because attackers have methods to compromise targets’ phone numbers and intercept their text messages. Largely because of cost concerns, companies like X, formerly known as Twitter, have restricted their SMS two-factor offerings. But Swanson says that he and his GitHub colleagues studied the choice carefully and concluded that it was more important to offer multiple two-factor options than to take a hard line on SMS code delivery. Every second factor is better than nothing. GitHub also offers and strongly promotes alternatives such as using a code-generating authentication app, mobile push message-based authentication, or a hardware authentication token. The company also recently added Passkey support.
The bottom line is that one way or another, all 100 million GitHub users will be enabling 2FA if they haven’t already. Before Swanson started rolling it out, Swanson and his team spent a lot of time researching the two-factor user experience. They’ve overhauled the onboarding flow to make it more difficult for users to misconfigure their two-factor feature, a leading cause of customers getting locked out of their accounts. The process included a greater focus on things like downloading backup recovery codes so users have a safety net to access their accounts if they lose access. The company also reviewed its support capabilities to ensure questions and concerns could be handled smoothly.
