Earlier this week, I discovered that GitHub supports two factor authentication, and I emailed all my coworkers, explaining what it is, why it is important, and how it works. Since I’ve already done the leg-work, I figured I should post it here, too.
What is Two Factor Authentication?
There are 3 different types of authentication:
- Knowing something – typically this is a password or pin
- Having something – RSA keychain tokens
- Being something – biometrics; fingerprint scanners
Most websites only require one factor authentication, and that one factor is always knowing something: your password. Two factor authentication means (in most cases) that you know something and you have something.
Why is enabling it good / worth your time?
ALL of our code, is in GitHub. This means our company’s proprietary code is only as safe as the weakest password any of us uses to log in to GitHub. By enabling two factor authentication, it becomes significantly more difficult for someone other than you to get into GitHub under your account.
If the second factor is having something, what is it I need to have?
Two factor authentication on GitHub can be done in one of two ways, but regardless, the answer is the same: your phone.
- Text-based two factor authentication
- App-based two factor authentication
How does two factor authentication work?
- Text-based – You sign into GitHub, and enable text-based two factor auth. The next time you log in, you enter your username and password as always. However, if you get it right, instead of being logged in, you are taken to a second page. On the page is a single input field. GitHub will text your phone with a code. Enter that code into the box. If the code is correct, then you will proceed in the same way as before after only entering username / password.
- App-based – Sign into GitHub, and enable app-based two-factor authentication. Download a two factor auth app on your phone. The GitHub page will show a QR code and an input box. Open the two factor auth app on your phone, and use it to scan the QR code. The app will then show a 6 digit pin on a countdown timer. Enter the code into the GitHub page before the timer runs out. (If the timer does run out, don’t worry, you aren’t locked out. But the 6 digit pin will rotate to a new number, and you’ll enter that pin instead.) Once app-based two factor auth is enabled, you sign into GitHub using your username / password, and you will be taken to a screen with a single input field. Open the two factor auth app on your phone, and then type the displayed code into the GitHub page’s field (similar to when you enabled it). If it validates, you will proceed as usual.
Where do I go to turn this on?
- Go to Github.com
- Click account settings on the top right of the page.
- Click Account settings on the left menu.
- Look for the Two-factor authentication section, and follow the steps on screen.
Which app should I use for app-based two factor auth on my phone?
I use Google Authenticator. It’s free, and I’ve never had an issue with it (on Android). They recently released an iPhone version which broke authentication for a while, but it was rolled back the same day.
Will I have to do this EVERY time I go to GitHub?
NO. You only have to do it when you log in. As long as you don’t log out, you won’t have to jump through any extra hoops.
What other sites / services support two factor auth?
- Amazon AWS
Do I need extra apps for this?
No. Aside from Twitter, all of the services listed above are compatible with Google Authenticator. Twitter’s two factor auth is a little weird, but it uses the Twitter mobile app on your phone to log you into the website.