GitHub and Yubico pioneer U2F authentication globally

Available to 11 million developers since October 2015.

Industry

Technology

Protocols

U2F

Products

All YubiKey Form Factors

Deployment

Employees and developer community

About GitHub

Founded in 2008, GitHub has grown to become one of the largest developer communities in the world. Today, the site boasts more than 11 million users working on almost 27 million projects. To help ensure the security of all these projects, GitHub announced support for two-factor authentication with U2F-certified YubiKeys in October 2015.



The need for 2FA security to defend against phishing attacks

“Security is, without a doubt, the most important thing we do at GitHub. Our entire job is to ensure the privacy and confidentiality of the code that our users entrust us with,” said Shawn Davenport, Vice President of Security at GitHub. The company, which hosts Universal Two Factor (U2F) open-source libraries as part of the GitHub repositories, adopted the U2F two factor standard for its platform. The goal was to provide U2F keys to employees and thousands of developers worldwide.

GitHub’s volume of sensitive data demands proactive efforts to constantly improve security and access controls. In September 2013, GitHub introduced two-factor authentication (2FA) with SMS and TOTP in an effort to elevate GitHub’s security posture. One of the drawbacks was the low reliability and usability of these methods at that time. In addition, they did not protect against modern hacker techniques, such as phishing and man-in-the-middle attacks.


“Here at GitHub we want to make U2F truly universal. U2F helps security by bringing a very user-friendly, easy-to-use device to end users and developers and provid­ing strong, hardware-backed, multifactor authenti­cation.”

—Shawn Davenport, VP of Security at GitHub


YubiKey simplifies the development of two factor U2F security

In October 2014, the security team at GitHub discovered the YubiKey and began working to incorporate support for it within their platform.  The team modified the Chrome extensions to support internal testing for GitHub’s development URLs. Github then worked to enroll the U2F key registration in the database, simplify user registration, and enable user authentication flows developed through Ruby on Rails. The project eventually included multiple key pair registration and the ability to add nicknames to each key pair registration, which provided an easy way to identify where each key could be used. A user interface was also developed to help simplify registration for the U2F protocol.

GitHub used Yubico’s self-service model, reference code from the Yubico developer website, and Google reference code to quickly implement the solution. Yubico and GitHub worked together to verify user flows and create an optimized user experience.



From internal beta to global deployment in just months

After a very successful pilot project with the GitHub staff, GitHub released U2F-backed strong authentication using the YubiKey to its community of 11 million developers in October 2015. The success of GitHub’s deployment clearly illustrates how quickly the YubiKey can scale to support millions of users around the world. “The YubiKey devices are durable, easy to use, and they bring strong authentication to the user,” said Davenport. “GitHub hopes to make U2F truly universal, first by adopting the standard for our platform, but then also to provide the YubiKey to tens of thousands of developers worldwide.”