GitHub adds hardware-based authentication for developers

GitHub developers will now be able to log in to the code repository using YubiKey hardware keys

Two-factor authentication for GitHub repositories just got a little more universal.

GitHub expanded its authentication system to support the FIDO Universal 2nd Factor (U2F) standard in order to offer developers a hardware-backed alternative to existing login methods, the company announced Thursday at its GitHub Universe event in San Francisco. The largest code-based cloud repository is teaming up with security company Yubico, co-creator of the U2F standard, to provide developers with U2F-compliant hardware keys.

The standard was designed to address phishing and man-in-the-middle attacks. As a hardware-backed system, it has an advantage of software systems such as the Google Authenticator app because the private keys cannot be intercepted. There are no SMS messages to intercept, no malware to compromise the app.

Adding U2F support "improves the security of GitHub for all our users," said Shawn Davenport, senior vice president of security at GitHub.

U2F-compliant hardware keys, such as the YubiKey, plugs into the USB port and just requires a simple touch of the finger to trigger the public/private key exchange. Since U2F is natively supported in platforms and browsers, there's no need for separate software drivers or installing third-party client software.

All Universe attendees received a token which they can exchange for their own YubiKey. The first 5,000 GitHub users to order a YubiKey via the special offer page will be able to purchase the special edition key for $5. All GitHub users -- 95,000 or so strong -- and students will be eligible for a 20 percent discount on the price of a YubiKey. To be eligible for the promotion, users must first verify they have a GitHub account.

Developers who already have a YubiKey, perhaps to access accounts on other FIDO U2F-compliant services such as Google and Dropbox, will be able to continue using the same key, so long as the model is U2F compliant. "The more places you can use the key, the better it is for authentication," Davenport said.

GitHub currently offers multiple two-factor authentication schemes, including sending one-time passcodes over SMS messages and using the Google Authenticator app. The new U2F support will not change those methods, and developers who prefer existing methods won't be forced to switch. They can continue using their phones as their second factor and not worry about having to carry a key at all times. Those users who find it time-consuming or frustrating to first unlock their devices, launch the app, and then get the key, may prefer the one-touch aspect of the YubiKey.

GitHub is committed to providing users with improved user experience, while still recognizing user preferences, Davenport said.

The most interest for two-factor authentication has been among U.S.-based developers and their European counterparts, and Davenport expects the same pattern of adoption with the YubiKey. There were several reasons for lower adoption in other regions -- such as India and Latin America -- including the challenges of sending SMS messages internationally. Yubico does ship keys around the world, so adding U2F to GitHub may help address some of those reasons in those regions.

GitHub wants this announcement to be the "catalyst to use U2F around the world," Davenport said.

Developers are also encouraged to build in U2F support in their own applications. At the moment, GitHub is supporting U2F only for logging in, but Davenport said GitHub and Yubico are discussing other potential areas of integration, such as maintaining code integrity and code signing. In fact, there is an internal project at Yubico where developers use the YubiKey's PGP functionality to sign their code. Although the process is "not quite yet one-touch" and the user experience needs more work, it highlights different ways the YubiKey can be used, said Stina Enhrensvard, CEO and founder of Yubico.

GitHub is turning on U2F support for both the cloud-based as well as GitHub Enterprise, the on-premise version of the code repository. Enterprise users would register their keys with their repositories in order to use them, Davenport said.

As breaches have repeatedly shown, just passwords are not enough for securing accounts or keeping data secure. With U2F, the goal is to move developers and companies away from "default" security to "better" security, Enhrensvard said. Hardware-based alternatives make it simple to put simple, scalable public key cryptography in the hands of millions of Internet users. With GitHub, it's a more secure repository, one developer and one key at a time.

Join the CSO newsletter!

Error: Please check your email address.

More about DropboxGooglePGP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts