Two-factor authentication for GitHub repositories just got a little more universal.
GitHub expanded its authentication system to support the FIDO Universal 2nd Factor (U2F) standard in order to offer developers a hardware-backed alternative to existing login methods, the company announced Thursday at its GitHub Universe event in San Francisco. The largest code-based cloud repository is teaming up with security company Yubico, co-creator of the U2F standard, to provide developers with U2F-compliant hardware keys.
The standard was designed to address phishing and man-in-the-middle attacks. As a hardware-backed system, it has an advantage of software systems such as the Google Authenticator app because the private keys cannot be intercepted. There are no SMS messages to intercept, no malware to compromise the app.
Adding U2F support "improves the security of GitHub for all our users," said Shawn Davenport, senior vice president of security at GitHub.
U2F-compliant hardware keys, such as the YubiKey, plugs into the USB port and just requires a simple touch of the finger to trigger the public/private key exchange. Since U2F is natively supported in platforms and browsers, there's no need for separate software drivers or installing third-party client software.
All Universe attendees received a token which they can exchange for their own YubiKey. The first 5,000 GitHub users to order a YubiKey via the special offer page will be able to purchase the special edition key for $5. All GitHub users -- 95,000 or so strong -- and students will be eligible for a 20 percent discount on the price of a YubiKey. To be eligible for the promotion, users must first verify they have a GitHub account.
Developers who already have a YubiKey, perhaps to access accounts on other FIDO U2F-compliant services such as Google and Dropbox, will be able to continue using the same key, so long as the model is U2F compliant. "The more places you can use the key, the better it is for authentication," Davenport said.
GitHub currently offers multiple two-factor authentication schemes, including sending one-time passcodes over SMS messages and using the Google Authenticator app. The new U2F support will not change those methods, and developers who prefer existing methods won't be forced to switch. They can continue using their phones as their second factor and not worry about having to carry a key at all times. Those users who find it time-consuming or frustrating to first unlock their devices, launch the app, and then get the key, may prefer the one-touch aspect of the YubiKey.
GitHub is committed to providing users with improved user experience, while still recognizing user preferences, Davenport said.
Sign up for Computerworld eNewsletters.