Skip to content

Kudos to GitHub for (gradually) chucking optional MFA out the window

    
Kudos to GitHub for (gradually) chucking optional MFA out the window

Last year, on May 4, 2022, GitHub laid down the authentication law: GitHub Chief Security Officer and SVP of Engineering Mike Hanley announced that by the end of 2023, all contributors to the GitHub.com code repository would be required to enable one or more forms of multifactor/two-factor authentication (MFA/2FA). 

It’s part of "a platform-wide effort to secure software development by improving account security,” he wrote.

That’s righteous. But why wait until the end of the year? As it is, there’s been way too much code mischief in repositories. A painful case in point hit within mere days of GitHub’s May 2022 announcement, when thieves ripped off login details of 100K npm user accounts. In fact, seeds for the attack — in which a code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a “peacenotwar” module relating to the Ukraine conflict — were planted just four days after Hanley’s proclamation. 

Was the timing a coincidence? It doesn’t matter much. What matters is that node-ipc — a popular dependency that many JavaScript developers in the ecosystem rely upon, including the popular Vue.js frontend JavaScript framework, aka npm package @vue/cli — got injected into the Vue.js CLI npm package and underscored the need to vet nested dependencies as a holistic risk.

On its mission to stop cluster-forks like that, earlier this month, on March 13, GitHub started the gradual rollout of mandatory MFA. As GitHub’s Laura Paine and Hirsch Singhal said in a blog post, the hosting service for software development and version control is reaching out to "smaller" groups of developers and administrators to notify them that they’re now required to enroll in 2FA: 

If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. 

We’ll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You’ll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don’t worry: this snooze period only starts once you’ve signed in after the deadline, so if you’re on vacation or out of office, you’ll still get that one week period to set up 2FA when you’re back at your desk.

So, what if you’re not in an early enrollment group but you want to get started? Click here and follow a few easy steps to enroll in 2FA.

 —GitHub

Optional MFA = stupid and ≠ secure by default

If your reaction to the news is something like “Well, duh,” it probably means that you work in cybersecurity. You may wonder whether anybody actually needs to be reminded that MFA should be a) turned on if you’re a user, and b) made mandatory by any and all software as a service (SaaS) vendors. 

As Contrast Security CISO David Lindner said about GitHub’s MFA move in his March 13 CISO Insights column, “This is how all SaaS providers should operate.”

But hey, not everyone lives cybersecurity, and that includes not just your relatives with their sticky-note-glued-onto-their-monitor “password managers” but also developers on GitHub who aren’t living in what you’d call an uber-security mindset, Lindner said. “They're writing code. They're doing cool sh*t with their programs,” he said. “All they want to do is get to their code and write. They're not thinking about the fact that ‘Oh, I should flip on MFA.’”

He knows whereof he speaks. Contrast migrated to GitHub a few years ago, set itself up as an organization, then invited a bunch of developers, as you do. “We have 200-ish developers, or whatever,” Lindner said. “Now, when we started doing that, we noticed that more than 75% of them didn't have MFA turned on in their GitHub accounts. It’s something we solved by using Okta with MFA to front our GitHub Organization, but the developers main GitHub accounts for their personal work were still not fronted with an MFA solution.”

Yea, but after all, MFA only blocks 99.9% of account takeovers

It’s just dumb not to make MFA mandatory, if you look at the numbers. 

Microsoft has some convincing ones: In 2019, Melanie Maynes Lopez, Microsoft director of product marketing/identity, wrote that at the time, the company was seeing more than 300 million fraudulent sign-in attempts to its cloud services every day. “Cyberattacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology,” she said. “All it takes is one compromised credential or one legacy application to cause a data breach. This underscores how critical it is to ensure password security and strong authentication.” 

There’s one, single action you can take to protect your account from attacks, she said. Did you guess “MFA?” Bingo — in fact, MFA can block over 99.9% of account compromise attacks, according to Microsoft’s 2019 data. 

“By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks,” Lopez wrote. “With MFA, knowing or cracking the password won’t be enough to gain access.’

Are we living in a glass house?

Everyone “should just be doing these things anyway,” Lindner said, but even Contrast still needs a reminder. 

“Even us, with our SaaS system, we don't require MFA, which is stupid. It should be on the SaaS provider to require it. Period. I don't know why we don't.”

And with that, he was off to open a ticket to make MFA a mandatory feature. 

Optional MFA ≠ secure by default

You might wonder how in the world anybody — let alone a cybersecurity company, for the love of all that’s holy — would skip mandatory MFA. Please don’t throw your rotten tomatoes at us just yet, though. It’s not as bad as it seems, since most Contrast customers use their own authentication mechanisms, such as a single sign-on (SSO) solution like Okta or Active Directory. 

“They don't use what we have built in, but we don't require it for those accounts, and I don't know why not,” Lindner said. “I don't know why the industry hasn't moved that way faster. MFA is so easy to use — I mean, we already have it implemented. The only thing we need to do is just have the switch flipped, as in, just [move] it from optional to required.”

In fact, most, if not all, SaaS providers have the option to make MFA mandatory today, Lindner said. “We don't have very many, maybe a handful or less of our customers that just use our authentication mechanism, because they're all using some SSO provider. [But] honestly. It's like a no-brainer to me. Being optional is not secure by default: Let's put it that way.”

Text-based authentication is still better than nothing

Mind you, there’s MFA, and then there’s MFA. One form — SMS-based authentication — has been giving cybersecurity pros hives for years due to a weakness in MFA that can lead to SIM swaps. SIM swaps happen when scammers trick your mobile phone carrier into activating a SIM card that they control. After that, they get control over your phone number, which leads to control over things such as your financial accounts

In fact, people have lost millions worth of cryptocurrency in SIM swaps. Scammers have also used SIM swaps to reset people’s banking passwords so they could empty out the cash.

But even SMS-based MFA is “still better than not using MFA,” Lindner insists, given that “if someone compromises your username and password, now they have to compromise your cell phone.

“There's still another layer there that you didn't have before,” he said. “I will always argue for SMS versus nothing.” 

Kudos to GitHub for rubbing out “nothing” as an option!

Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas, Senior Content Marketing Manager, Contrast Security

Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.