GitHub Improves Two-Factor Security With U2F
GitHub embraces the FIDO standard and aims to get Yubico U2F keys into as many developer hands as it can.GitHub has emerged in recent years to become the de facto standard location for developers to launch new code projects and engage with potential contributors. With all that code in one place, GitHub is also an attractive target for attackers, with password security often being the weak link. In an effort to secure itself and its users, GitHub today is announcing its support of the FIDO (Fast Identity Online) Universal 2nd Factor standard and is engaging with U2F hardware vendor Yubico to help make keys more easily accessible and available. The FIDO Alliance is a multi-stakeholder effort with more than 150 member companies, including Bank of America, MasterCard and Visa, as well as Google and Qualcomm. The goal of the U2F standard, which officially hit the 1.0 milestone in December 2014, is to enable a hardware-secured mechanism for two-factor authentication. The U2F hardware is typically available in the form of a USB device that includes the secure hardware token. One such device is the YubiKey built and sold by Yubico. GitHub has had two-factor authentication in place for several years, supporting Google Authenticator and SMS-based deployments, said Shawn Davenport, GitHub's vice president of security. With Google Authenticator, a one-time password is generated on the user's device; with SMS, the user is sent a one-time password via SMS on their mobile device. Although GitHub provides two-factor authentication, Davenport admitted that usage of existing two-factor systems is relatively low among GitHub users. "We have approximately 300,000 users with some form of two-factor authentication today, either Google Authenticator or SMS-based," Davenport told eWEEK. "We have over 11 million users, so adoption of any form of two-factor authentication is low."
With the new U2F support, Davenport is optimistic that it will act as a catalyst to grow adoption for two-factor adoption overall. To help further spur adoption, GitHub and Yubico will be giving free YubiKey U2F keys to 1,000 attendees of the GitHub Universe conference today in San Francisco. The partnership with GitHub and Yubico is also offering a YubiKey to an initial 5,000 developers for only $5 per key, which is a substantial discount from the retail price of $18 per key. An additional 95,000 GitHub users will be able to get a YubiKey for a 20 percent discount.