GitHub has confirmed it is no longer accepting or honoring account passwords for executing Git operations. The online repository for software developers is now urging members to adopt any one or multiple Two-Factor or Multi-Factor Authentication (2FA) mechanisms.
Multi-Factor Authentication of 2FA is now mandatory for authenticating Git operations. The platform offers a number of 2FA methods including physical keys, virtual keys, authenticator apps, and SMS OTP (One Time Password).
Start activating and using Multi-Factor Authentication for authenticating Git operations, orders GitHub:
Starting this week, GitHub has deployed additional security measures to ensure only authentic developers use the platform to submit their creations. In other words, starting from August 13, GitHub has stopped accepting account passwords for authenticating Git operations.
The platform first announced the policy back in July 2020. Back then, the online repository had mandated using SSH key or token-based authentication.
— BleepingComputer (@BleepinComputer) August 18, 2021
Incidentally, GitHub also disabled password authentication via the REST API in November 2020. The platform added support for securing SSH Git operations using FIDO2 security keys in May 2021.
GitHub has been steadily adding multiple authentication and authorization systems. Currently, the platform has two-factor authentication, sign-in alerts, verified devices, blocking the use of compromised passwords, and WebAuthn support.
GitHub repeatedly stresses the need for 2FA or MFA while securing accounts and online activities:
Moving ahead, developers will need to use 2FA for all their “Git commits”. The platform is no longer accepting username and password combinations for such actions.
GitHub reportedly supports all the latest Multi-Factor Authentication (MFA) platforms. These include physical security keys, virtual security keys built into devices such as phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.
GitHub also offers SMS-based 2FA. However, SMS is much less secure. There have been multiple cases wherein hackers have managed to bypass or steal SMS 2FA auth tokens.
— Bitwarden (@Bitwarden) August 18, 2021
2FA or MFA have proven to be very effective against hackers or threat actors. Reports indicate stolen credentials are quickly checked for accuracy, relevance, and validity within hours of leaks or theft.
Any additional security or protection, apart from a password, is a big deterrent for hackers as the cost vs. incentive ratio isn’t lucrative. Google researchers claim just adding a recovery phone number as a 2FA “can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks.”
Talk about timing!
In my @defcon talk last week, I walked through the hypothetical hacking of Tatter (a made up company whose AppSec program we learned from) that involved compromising their private GitHub code repos, due to lack of 2FA.
— Arjun G (@247arjun) August 17, 2021
Alex Weinert, Microsoft’s Director of Identity Security claims accounts with MFA were 99.9 percent less likely to be compromised. Simply put, 2FA or MFA may be cumbersome, but they are now one of the most promising security layers that stands between threat actors and users.