Since 2008, GitHub has grown from 10,000 users to one of the largest developer communities in the world. Now, the site boasts more than 11 million users working on almost 27 million projects. To the outside world, GitHub is a source code repository hosting site used for code management and distributed revision control by a vibrant community of developers working on open source and other projects. Internally, however, GitHub focuses on encouraging and supporting security measures — such as two-factor authentication and the emerging open authentication standard, Universal 2nd Factor (U2F) — that keep accounts and data safe. GitHub announced support for two-factor authentication with U2F-certified YubiKeys from Yubico in October 2015.
Quotes by Shawn Davenport, Vice President of Security, and Ben Toews, Application Security Engineer, GitHub.
Deploying Strong Authentication
GitHub’s volume of sensitive data demands proactive efforts to constantly improve security and access controls. In September 2013, GitHub introduced two-factor authentication with SMS and TOTP in an effort to elevate GitHub’s security posture. One of the drawbacks was the reliability and usability of these methods. In addition, they did not protect against modern hacker techniques, such as phishing and man-in-the-middle attacks, used in the current breach-filled world.
In October 2014, Ben Toews and the security team at GitHub took notice of Yubico’s release of the YubiKey NEO and YubiKey NEO-n, physical devices that promised hardware-based security and privacy. It was shortly after this when U2F functionality became incorporated into the Google Chrome browser, and Google adopted U2F technology to help its users protect Gmail accounts.
Toews had a friend at Google who suggested he try to implement the U2F protocol for GitHub. The U2F protocol — co-authored by Yubico, Google, and NXP — is published and maintained by the FIDO Alliance, an organization of more than 200 member companies across all verticals.
Choosing the YubiKey for Two-factor Authentication
“Security is, without a doubt, the most important thing we do at GitHub. Our entire job is to ensure the privacy and confidentiality of the code that our users entrust us with,” said Shawn Davenport. “U2F helps security by bringing a very user friendly, easy to use device to end users and developers, providing strong hardware backed multi-factor authentication.”
The company, which hosts U2F open source libraries as part of the GitHub repositories, adopted the standard for its platform, including employees and the GitHub community, hoping to provide U2F keys to tens of thousands of developers worldwide.
Integrating the YubiKey
Toews initially worked to incorporate U2F earlier in 2014, prior to the protocol becoming native in Chrome in October 2014. The initial efforts were hampered by maturity in the Chrome platform, so Toews took another run at U2F in November 2014.
He tapped into open source U2F projects, used what they had developed, and fed his development back into the projects. He modified the Chrome extensions in order to complete internal testing for GitHub’s development URLs, and his team then worked on three areas: enrolling the U2F key registration in the database, user registration, and user authentication flows developed over Ruby on Rails.
Work moved along and began to include multiple key pair registration and the ability to add nicknames to each key pair registration, providing an easy way to identify where each key could be used.
Next came development of a user interface so that registration can be optimized for the U2F protocol. Toews also spent some time building a test tool that can quickly identify issues for their site.
Testing with GitHub staff came next. It was successful, so the company decided to release U2F-backed strong authentication to all 11 million of its developers during the keynote on the first day of the company’s first-ever GitHub Universe conference, in October 2015.
User Experience and Feedback
“The YubiKey devices are durable, easy to use, and they bring strong authentication to the user,” said Davenport. “GitHub hopes to make U2F truly universal, first by adopting the standard for our platform, but then also to provide the YubiKey to tens of thousands of developers worldwide.”
During the GitHub Universe conference, GitHub users snapped up 10,000 specially-made YubiKeys so they could protect their GitHub accounts.
“The next step is for developers to implement U2F,” Toews said at GitHub Universe. “We think this is an improvement for security. We think the security of the internet as a whole can be improved with U2F.”
Working with Yubico
GitHub used Yubico’s self-service model, reference code from Yubico’s developers’ website, and Google reference code. Yubico assisted with verifying user flows and providing feedback to optimize the user experience, and with GitHub’s outstanding team of developers, they could release two-factor authentication with U2F publicly, and very quickly — shortly after they activated U2F for their employees.
Jerrod Chong, Yubico’s Vice President of Solutions Engineering, stated “The GitHub team is highly-skilled, very professional, and extremely efficient. It was our honor working with everyone on the team.”