Two-factor authentication for GitHub repositories just got a little more universal.
GitHub expanded its authentication system to support the FIDO Universal 2nd Factor (U2F) standard in order to offer developers a hardware-backed alternative to existing login methods, the company announced Thursday at its GitHub Universe event in San Francisco. The largest code-based cloud repository is teaming up with security company Yubico, co-creator of the U2F standard, to provide developers with U2F-compliant hardware keys.
The standard was designed to address phishing and man-in-the-middle attacks. As a hardware-backed system, it has an advantage of software systems such as the Google Authenticator app because the private keys cannot be intercepted. There are no SMS messages to intercept, no malware to compromise the app.
Adding U2F support "improves the security of GitHub for all our users," said Shawn Davenport, senior vice president of security at GitHub.
U2F-compliant hardware keys, such as the YubiKey, plugs into the USB port and just requires a simple touch of the finger to trigger the public/private key exchange. Since U2F is natively supported in platforms and browsers, there's no need for separate software drivers or installing third-party client software.
All Universe attendees received a token which they can exchange for their own YubiKey. The first 5,000 GitHub users to order a YubiKey via the special offer page will be able to purchase the special edition key for $5. All GitHub users -- 95,000 or so strong -- and students will be eligible for a 20 percent discount on the price of a YubiKey. To be eligible for the promotion, users must first verify they have a GitHub account.
Developers who already have a YubiKey, perhaps to access accounts on other FIDO U2F-compliant services such as Google and Dropbox, will be able to continue using the same key, so long as the model is U2F compliant. "The more places you can use the key, the better it is for authentication," Davenport said.
GitHub currently offers multiple two-factor authentication schemes, including sending one-time passcodes over SMS messages and using the Google Authenticator app. The new U2F support will not change those methods, and developers who prefer existing methods won't be forced to switch. They can continue using their phones as their second factor and not worry about having to carry a key at all times. Those users who find it time-consuming or frustrating to first unlock their devices, launch the app, and then get the key, may prefer the one-touch aspect of the YubiKey.
GitHub is committed to providing users with improved user experience, while still recognizing user preferences, Davenport said.
The most interest for two-factor authentication has been among U.S.-based developers and their European counterparts, and Davenport expects the same pattern of adoption with the YubiKey. There were several reasons for lower adoption in other regions -- such as India and Latin America -- including the challenges of sending SMS messages internationally. Yubico does ship keys around the world, so adding U2F to GitHub may help address some of those reasons in those regions.
GitHub wants this announcement to be the "catalyst to use U2F around the world," Davenport said.
Developers are also encouraged to build in U2F support in their own applications. At the moment, GitHub is supporting U2F only for logging in, but Davenport said GitHub and Yubico are discussing other potential areas of integration, such as maintaining code integrity and code signing. In fact, there is an internal project at Yubico where developers use the YubiKey's PGP functionality to sign their code. Although the process is "not quite yet one-touch" and the user experience needs more work, it highlights different ways the YubiKey can be used, said Stina Enhrensvard, CEO and founder of Yubico.
GitHub is turning on U2F support for both the cloud-based GitHub.com as well as GitHub Enterprise, the on-premise version of the code repository. Enterprise users would register their keys with their repositories in order to use them, Davenport said.
As breaches have repeatedly shown, just passwords are not enough for securing accounts or keeping data secure. With U2F, the goal is to move developers and companies away from "default" security to "better" security, Enhrensvard said. Hardware-based alternatives make it simple to put simple, scalable public key cryptography in the hands of millions of Internet users. With GitHub, it's a more secure repository, one developer and one key at a time.