GitHub starts enforcing 2FA

[madires]

GitHub to require 2FA for all contributors starting from March 13: https://techcrunch.com/2023/03/09/github-to-require-2fa-for-all-contributors-starting-from-march-13-to-secure-the-software-supply-chain/

Nice and simple TOTP tool for linux: OTPClient

[Peabody]

If someone doesn't have a smartphone or other mobile device, and is running Windows on his laptop, is there a way to set up 2FA at Github, or is he just SOL?

[madires]

There are also plenty of TOTP tools for windows, e.g. 2fast (https://github.com/2fast-team/2fast).

[golden_labels]

On March 13th GitHub starts rolling it out. The first wave of enforcement will not apply before July.

[JohanH]

It's also convenient to use SSH protocol.

[SiliconWizard]

It's also convenient to use SSH protocol.

Can SSH be used without 2FA?

[SiliconWizard]

Currently, to push to a repo you need your username, and github token as a password.
How will 2FA work when using command-line tools?

[ejeffrey]

To command line push to a repo with mandatory 2FA, I believe you currently need to use the git/ssh protocol instead of https and you need to authorize your ssh public key to your account which functions as the "second factor" although it's actually only one factor as it doesn't ask for your account password when you push.

[mwb1100]

Enabling 2FA on github affects pushing to/pulling from a repository only if you are using HTTPS as the git protocol.  If you're using SSH already it will be unaffected.

For pushing/pulling with HTTPS you will need to generate an HTTPS "token" to use as the password instead of using your web account's password.

See the following for details:

  - Using two-factor authentication with the command line
  - Creating a personal access token

The "Using two-factor authentication with the command line" page also talks about Git Credential Manager. As far as I know, that doesn't change what I said above - what is does is allow git to remember the HTTPS access token for a repository so after the first use you won't have to copy/paste it into an authentication dialog again.

[SiliconWizard]

Enabling 2FA on github affects pushing to/pulling from a repository only if you are using HTTPS as the git protocol.  If you're using SSH already it will be unaffected.

For pushing/pulling with HTTPS you will need to generate an HTTPS "token" to use as the password instead of using your web account's password.

That's what I've already been doing, then. So, no change as far as I'm concerned.
I'm a bit failing to see how that is 2FA, though. The token just has a limited lifetime that you can adjust, but that's still just like a password. It's just one that github generates for you.

And you either need to type the token for every freaking command line (I c/c it, but that's still annoying), or store it in some configuration file in clear, which I don't do as it's horrific in terms of security.

[golden_labels]

As far, as I understand, the change only applies to the cases using weak authentication. Not SSH, which is not vulnerable to service-side leaks, uses two factors by design, and provides resistance against phishing.

For most users this means: using the webapp. This is the primary reason to have an account on GitHub, but the change seems to not be preventing e.g. pushes by designated collaborators.

[mwb1100]

"Classic" github tokens are about 36 random characters long.
Newer "fine-grained" tokens are about 80 random characters long.

These are *much* stronger than your typical web account password.

Also I was wrong about what I said for Git Credential Manager. The basic "git credential store" stores passwords in a plaintext file (I'd still argue that a plaintext file on a local machine with a long random password is generally still more secure than using a web account password in most cases).  However the "Git Credential Manager" (sometimes referred to as "Git Credential Manager Core") is a separate project that adds credential management using a system's secure storage (ie., the Windows Credential Manager on Windows) as well as supports actual 2FA authentication.

From the GCM readme:

when pushing (git push) to Azure DevOps, Bitbucket, or GitHub, a window will automatically open and walk you through the sign-in process. (This process will look slightly different for each Git host, and even in some cases, whether you've connected to an on-premises or cloud-hosted Git host.) Later Git commands in the same repository will re-use existing credentials or tokens that GCM has stored for as long as they're valid

If locally stored plaintext passwords are a concern you should look into Git Credential Manager.

  - Git Credential Manager: authentication for everyone

Another thing I forgot: Git for Windows includes GCM now, so you might be using it already if you're on Windows.

[alm]

If someone doesn't have a smartphone or other mobile device, and is running Windows on his laptop, is there a way to set up 2FA at Github, or is he just SOL?

Many password managers that you might use, like Keepass, or 1Password, can also function as TOTP generator. Of course you should evaluate the security implications of this. It's definitely a step down from having the secret stored on a separate device (mobile phone).

"Classic" github tokens are about 36 random characters long.
Newer "fine-grained" tokens are about 80 random characters long.

These are *much* stronger than your typical web account password.

And SSH private keys are much longer than that. And is an asymmetric system, so the private key is never transmitted. Plus SSH keys have the ability to protect them with a passphrase (two factor) and optionally remembering this passphrase for the duration of the session built in. I don't understand jumping through so many hoops just to be able to use HTTPS, unless you are behind a very restrictive firewall. But Github allows SSH over port 443, so even that's not a very convincing argument. What advantage do you see of using HTTPS instead of SSH for authenticated access?

However the "Git Credential Manager" (sometimes referred to as "Git Credential Manager Core") is a separate project that adds credential management using a system's secure storage (ie., the Windows Credential Manager on Windows) as well as supports actual 2FA authentication.

Until you run into an URL of more than 256 characters (happens with some automatically-generated URLs), then the Windows Credential Manager is useless and you have to fall back to plain text store. I haven't seen this issue on Linux or Mac, fortunately.

[golden_labels]

And SSH private keys are much longer than that. And is an asymmetric system, so the private key is never transmitted. Plus SSH keys have the ability to protect them with a passphrase (two factor) and optionally remembering this passphrase for the duration of the session built in.

Just to be clear, what are the numbers: typical SSH keys are 240–512 bits, a 80-character token is 376–480 bits. So the entropy is in both cases in a similar range.

I don't understand jumping through so many hoops just to be able to use HTTPS, unless you are behind a very restrictive firewall. But Github allows SSH over port 443, so even that's not a very convincing argument. What advantage do you see of using HTTPS instead of SSH for authenticated access?

The primary reason to even use GitHub are features outside of the Git itself. These are available only through their webapp or, at most, HTTPS-only API. SSH is also a solution inaccessible to most of GitHub audience.

[mwb1100]

"Classic" github tokens are about 36 random characters long.
Newer "fine-grained" tokens are about 80 random characters long.

These are *much* stronger than your typical web account password.

And SSH private keys are much longer than that. And is an asymmetric system, so the private key is never transmitted. Plus SSH keys have the ability to protect them with a passphrase (two factor) and optionally remembering this passphrase for the duration of the session built in. I don't understand jumping through so many hoops just to be able to use HTTPS, unless you are behind a very restrictive firewall. But Github allows SSH over port 443, so even that's not a very convincing argument. What advantage do you see of using HTTPS instead of SSH for authenticated access?

I do generally use SSH and understand that it is better then HTTPS tokens in most ways.  I'm just explaining reasons why the HTTPS tokens are more secure than using the web account credentials.  Clearly a lot of people use HTTPS access or github, gitlab and other git hosting outfits wouldn't jump through hoops to support it.  People who use Windows are generally unfamiliar with SSH, and as an example several people I work with use HTTPS for github and gitlab access.  I might suggest or encourage using SSH, but I'm not going to force anyone else to use SSH.

However the "Git Credential Manager" (sometimes referred to as "Git Credential Manager Core") is a separate project that adds credential management using a system's secure storage (ie., the Windows Credential Manager on Windows) as well as supports actual 2FA authentication.

Until you run into an URL of more than 256 characters (happens with some automatically-generated URLs), then the Windows Credential Manager is useless and you have to fall back to plain text store. I haven't seen this issue on Linux or Mac, fortunately.

I wasn't aware of that limitation.  Do you have a pointer to more information about this behavior?  I can' t find any issue or discussion topic about it at the https://github.com/git-ecosystem/git-credential-manager site.

[madires]

I'm also using ssh for accessing repos and created a dedicated key set for GitHub. In openssh it's easy to tie a key to a specific domain (.ssh/config):

Code: [Select]

# dedicated key for GitHub
Host github.com
  User git
  IdentityFile ~/.ssh/myGitHubKey
  IdentitiesOnly yes
  UpdateHostKeys yes

IIRC, you can alternatively change the git settings of the local repo copy to use a specific ssh key. It's just less convenient.

[Peabody]

I have 10 Github repos, but have never installed git or any github web app.  I just use my browser in Windows to create and modify the repos on the site.  Can someone clarify if the 2FA requirement will apply to me, and if so how I can satisfy it.  I don't use a mobile device.  2fast was mentioned earlier, but Github's explanation of 2FA says a phone is required.

 > For GitHub, the second form of authentication is a code
 > that's generated by an application on your mobile device or
 > sent as a text message (SMS). After you enable 2FA, GitHub
 > generates an authentication code any time someone attempts
 > to sign into your account on GitHub.com. The only way
 > someone can sign into your account is if they know both
 > your password and have access to the authentication code on
 > your phone.

[shapirus]

SSH is also a solution inaccessible to most of GitHub audience.

This is an interesting statement.

I thought GitHub was used mostly by programmers. Was I wrong?

[madires]

I don't use a mobile device.  2fast was mentioned earlier, but Github's explanation of 2FA says a phone is required.

It's explained here: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

Your second factor can be:
- TOTP (app on mobile device, PC or whatever)
- SMS

And after setting up 2FA with TOTP or SMS you can add additionally:
- security key
- GitHub Mobile app

[Peabody]

Maybe it's just shorthand, and not literally true, but they talk only about a "TOTP mobile app".

[shapirus]

Maybe it's just shorthand, and not literally true, but they talk only about a "TOTP mobile app".

TOTP is just an algorithm. Any computer can be programmed to run it.

[Karel]

GitHub to require 2FA for all contributors starting from March 13: https://techcrunch.com/2023/03/09/github-to-require-2fa-for-all-contributors-starting-from-march-13-to-secure-the-software-supply-chain/

Nice and simple TOTP tool for linux: OTPClient

Thanks but I moved everything from github to Gitlab.
I stay away from tech giants because they are arrogant and do whatever they like.
The last thing I'll do is giving them my telephone number.

[jonovid]

look for other open source software development project sites Not owned by  tech giant MS

[madires]

Maybe it's just shorthand, and not literally true, but they talk only about a "TOTP mobile app".

Apparently they assume that the second factor should be on a different device. However, as shapirus mentioned, TOTP is a standard described in RFC6238. You can even run that on an Arduino (https://github.com/lucadentella/TOTP-Arduino).

[Peabody]

For Arduino?  Now I'm interested.