Security

GitHub upgrades two-factor authentication with WebAuthn support

Standard enables more security key options with passwordless a future possibility


GitHub has announced support for the Web Authentication (WebAuthn) security standard.

GitHub already supports two-factor authentication (2FA) via SMS texts (the least secure option, given that phone numbers can be hijacked and SMS messages intercepted), one-time password authentication apps, or U2F (Universal Second Factor) security keys.

U2F is an older standard, though, and in March this year the World Wide Web Consortium (W3C) approved the WebAuthn specification, part of the FIDO Alliance's FIDO2 specification set.

The move to WebAuthn means GitHub supports physical security keys via browsers including Firefox and Chrome on Windows, macOS, Linux and Android, on macOS with preview versions of Safari, and on iOS with Brave and a YubiKey 5Ci.

Securing a GitHub account with a physical security key

You also now have an option to opt for a laptop or phone as a security key, using Windows Hello, Touch ID on macOS, or a fingerprint reader on Android.

GitHub currently only supports security keys as a supplementary option, available once you have already set up 2FA using SMS or an authenticator app. That said, GitHub is exploring making security keys a primary option, or even to enable passwordless login.

A potential hazard with 2FA is the risk of getting locked out of your account. GitHub offers a couple of ways around this, including recovery codes that appear when you set up 2FA, that you can print out or copy to a password manager, and a suggestion that you use an authenticator app that permits backup of your keys, unlike Google Authenticator or Microsoft Authenticator.

Securing GitHub accounts is a priority since compromise may enable a bad guy to insert backdoors, password stealers, or other malware into the code for an application, a website, or library code used by multiple developers. Malware was recently discovered in a Ruby Gem package, believed to be caused by a hacked developer account. ®

Send us news
9 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

GitHub struggles to keep up with automated malicious forks

Cloned then compromised, bad repos are forked faster than they can be removed

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say

GitHub fixes pull request delay that derailed developers

Went down yesterday, too, longer and harder. Maybe we should call it GitFlub?

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials