GitHub 2FA Push is Positive, But There’s More to Be Done
All developers contributing code on GitHub will be required to enable at least one form of two-factor authentication (2FA) by the end of next year, with the site well into its efforts to move developers over in cohorts every few months.
“We believe that our unique position as the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem,” GitHub said in a blog post.
“While we are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of account compromise,” the post read. “Our response to this challenge continues today with our commitment to drive improved supply chain security through safe practices for individual developers.”
The move drew kudos from security pros. “I commend GitHub for their decision to enable one or more forms of two-factor authentication (2FA) by the end of 2023,” said Joseph Carson, chief security scientist and advisory CISO at Delinea. “Multi-factor authentication (MFA) should be used anywhere and everywhere possible as it is the best next-step way to authenticate identities beyond simply using a username and password.”
A Great Move for GitHub
The move “to enforce stronger protections on the more than 70 million users and 100 million repositories GitHub hosts is a great move,” said Casey Bisson, head of product and developer relations at BluBracket.
Calling the effort a significant step “toward increasing the complexity of account takeovers,” Andrew Hay, COO at Lares Consulting, said 2FA “has proven time and time again that multifactor authentication provides an additional layer of protection to a user’s account without exponentially complicating the login process.”
GitHub noted that supply chain security starts with the developer, whose accounts are often targeted in social engineering efforts and account takeovers. “Protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” the platform said, explaining it has a “long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support and enrolling all npm publishers in enhanced login verification.”
Security Breaches Focus on Path of Least Resistance
As GitHub pointed out, security breaches, by and large, don’t stem from exotic zero-day attacks, “but rather involve lower-cost attacks like social engineering, credential theft or leakage and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.”
From there, compromised accounts are used to nick private code or make malicious changes to code. “This places not only the individuals and organizations associated with the compromised accounts at risk but also any users of the affected code,” GitHub said. “The potential for downstream impact to the broader software ecosystem and supply chain, as a result, is substantial.”
“Hackers have long targeted code, and recent events have highlighted the seriousness of the threat,” Bisson noted.
And advancements “in MFA options have made it far less burdensome to users,” said Carson.
“However, the most common mistake we see with MFA is that it is being used in addition to existing security controls as another step, rather than making it easier and removing existing but poor authentication practices. It is simply added on to existing security controls,” he said.
The GitHub initiative “will help motivate any that haven’t yet enabled the option, but we also have to acknowledge the limits,” said Bisson, the most obvious of which is that it isn’t likely to solve security problems in their entirety.
“Developer productivity often requires broad access to code. Private repositories—even with improved authentication—provide little protection to companies that store keys, secrets and other sensitive material in their code,” he said. “Most of the companies recently attacked by Lapsus$, for example, also had strong authentication policies with 2FA, yet still saw their code—and all the keys and passwords in it—leaked publicly.”
MFA must “be adaptive to the risks and identify when users must re-verify before access is granted,” Carson said. He suggested using “MFA to reduce cyber fatigue and not add to it. MFA should be used to make authentication more efficient; reducing the need for users to type in their passwords or even the need to create new passwords, as humans are the worst at choosing long complicated passwords. The less we do that the more we reduce that risk,” he added.
GitHub said it will remove any organization and enterprise members or owners who don’t comply. But Hays said that might cloud the horizon. “We don’t expect this to cause many issues, but it may lead to some calls to the support desk if a user finds that they can no longer access the code repositories they once had access to,” he explained.
