GitHub Improves Two-Factor Security With U2F

GitHub embraces the FIDO standard and aims to get Yubico U2F keys into as many developer hands as it can.

GitHub security

GitHub has emerged in recent years to become the de facto standard location for developers to launch new code projects and engage with potential contributors. With all that code in one place, GitHub is also an attractive target for attackers, with password security often being the weak link. In an effort to secure itself and its users, GitHub today is announcing its support of the FIDO (Fast Identity Online) Universal 2nd Factor standard and is engaging with U2F hardware vendor Yubico to help make keys more easily accessible and available.

The FIDO Alliance is a multi-stakeholder effort with more than 150 member companies, including Bank of America, MasterCard and Visa, as well as Google and Qualcomm. The goal of the U2F standard, which officially hit the 1.0 milestone in December 2014, is to enable a hardware-secured mechanism for two-factor authentication. The U2F hardware is typically available in the form of a USB device that includes the secure hardware token. One such device is the YubiKey built and sold by Yubico.

GitHub has had two-factor authentication in place for several years, supporting Google Authenticator and SMS-based deployments, said Shawn Davenport, GitHub's vice president of security. With Google Authenticator, a one-time password is generated on the user's device; with SMS, the user is sent a one-time password via SMS on their mobile device. Although GitHub provides two-factor authentication, Davenport admitted that usage of existing two-factor systems is relatively low among GitHub users.

"We have approximately 300,000 users with some form of two-factor authentication today, either Google Authenticator or SMS-based," Davenport told eWEEK. "We have over 11 million users, so adoption of any form of two-factor authentication is low."

With the new U2F support, Davenport is optimistic that it will act as a catalyst to grow adoption for two-factor adoption overall. To help further spur adoption, GitHub and Yubico will be giving free YubiKey U2F keys to 1,000 attendees of the GitHub Universe conference today in San Francisco. The partnership with GitHub and Yubico is also offering a YubiKey to an initial 5,000 developers for only $5 per key, which is a substantial discount from the retail price of $18 per key. An additional 95,000 GitHub users will be able to get a YubiKey for a 20 percent discount.

"Unlike Google Authenticator or SMS, which is essentially free, there is a cost here," Davenport said. "Once we get widespread adoption of U2F across all major sites and services, at that point it will make even more sense for users to make the small investment in a U2F-compatible device."

For its part, Yubico has been trying to help organizations easily deploy U2F. Stina Ehrensvard, CEO and founder of Yubico, said her company already has millions of users around the world that recognize the value of purchasing a security key. Among the organizations that Yubico has helped deploy two-factor authentication technology are the Linux Foundation and CERN.

"It's not a major cost, and it's not a reoccurring cost," Ehrensvard told eWEEK. "I'm not seeing that cost is a major barrier. The challenge is about getting U2F to work across as many sites as possible, and that's what we're working on now."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.