GitHub is hosting its first user conference, GitHub Universe, today. One of the announcements the company made at the event is that it’s launching support for FIDO Universal 2nd Factor (U2F) security keys from companies like Yubico and others today.
These physical USB keys automatically generate a second-factor code for you when you plug them in, so you don’t have to type in a six-digit code from Google Authenticator, Authy and similar apps anymore.
Two-factor authentication already makes it very hard for attackers to launch a phishing or man-in-the-middle attack against you, but they can’t completely eradicate this thread either. Using a U2F security key adds another layer of protection because the key won’t exchange information with any other site but the one you already authorized when you first set it up. Currently, all of this only works with Google Chrome, though, because other browsers don’t feature built-in U2F support yet.
GitHub already supported two-factor authentication through apps like Authenticator and over SMS. As the company’s VP of security Shawn Davenport told me, about 300,000 of GitHub’s 11 million users currently use two-factor authentication. To increase this number - and jumpstart the adoption of security keys on GitHub - the company has partnered with Yubico and it’s allowing the first 5,000 buyers to purchase keys for $5 and is offering a 20 percent discount for those who miss the cutoff.
Davenport also told that the company started to run into a number of issues with supporting two-factor authentication lately. Sending SMS internationally, for example, is still somewhat unreliable. Users also often upgrade their phones and then forget to transfer their security tokens between phones, so the authenticator apps don’t work.
Yubico CEO and founder Stina Ehrensvard noted that GitHub is now her company’s third major partner for getting U2F keys into the market. The first were Google and Dropbox. As she told, the company is seeing “good momentum” from these partnerships. She argues that what’s missing right now for even wider adoption, though, is support from other browser vendors. Yubico is talking to Mozilla and Microsoft, but “they are not moving very fast,” as Ehrensvard said.
These physical USB keys automatically generate a second-factor code for you when you plug them in, so you don’t have to type in a six-digit code from Google Authenticator, Authy and similar apps anymore.
Two-factor authentication already makes it very hard for attackers to launch a phishing or man-in-the-middle attack against you, but they can’t completely eradicate this thread either. Using a U2F security key adds another layer of protection because the key won’t exchange information with any other site but the one you already authorized when you first set it up. Currently, all of this only works with Google Chrome, though, because other browsers don’t feature built-in U2F support yet.
GitHub already supported two-factor authentication through apps like Authenticator and over SMS. As the company’s VP of security Shawn Davenport told me, about 300,000 of GitHub’s 11 million users currently use two-factor authentication. To increase this number - and jumpstart the adoption of security keys on GitHub - the company has partnered with Yubico and it’s allowing the first 5,000 buyers to purchase keys for $5 and is offering a 20 percent discount for those who miss the cutoff.
Davenport also told that the company started to run into a number of issues with supporting two-factor authentication lately. Sending SMS internationally, for example, is still somewhat unreliable. Users also often upgrade their phones and then forget to transfer their security tokens between phones, so the authenticator apps don’t work.
Yubico CEO and founder Stina Ehrensvard noted that GitHub is now her company’s third major partner for getting U2F keys into the market. The first were Google and Dropbox. As she told, the company is seeing “good momentum” from these partnerships. She argues that what’s missing right now for even wider adoption, though, is support from other browser vendors. Yubico is talking to Mozilla and Microsoft, but “they are not moving very fast,” as Ehrensvard said.
0 comments:
Post a Comment