GitHub says #GoPasswordless

Ajit Hatti August 25, 2021 Passwordless

All the recent high profile breaches we have seen, have one common root cause - Account takeovers with compromised credentials.

Solarwinds incidents is a biggest examples of how simple account takeovers lead to distribution of malicious updates, which then got amplified through the supply chain and affect the entire world.

GitHub being the world's code-repository and home for all updates, have taken a commendable step to curb account takeover attacks by going passwordless. 

Beginning August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations on GitHub.com.

As informed previously by Ben Balter, Program Manager at GitHub in July 2020, GitHub wants its users to use alternative forms of authentication which involves tokens, keys, device identification etc.

GitHub to #GoPasswordless

GitHub has also assured the customers already using 2FA or MFA with their existing passwords will remain unaffected. 

GitHub also acknowledges that many forms of 2FA that use SMS based OTP are weaker and bypassable, hence recommends stronger MFA solution to protect your GitHub accounts 

As far as Enterprises are concerned, GitHub supports SAML based authentication which is leveraged by PureAUTH to provide passwordless authentication. 

To further secure your code management platform you can integrate CICD automation suites like Jenkin and code scanning tools like Sonarqube with PureAUTH and #GoPasswordless. 

Share the post    
Previous Post
PureID is glad and excited to announce the appointment of Jeremiah Grossman, the world-renowned web security expert, to its advisory board.  The PureID Advisory Board Jeremiah joins the board which also has Lamont Orange (CISO, Netskope) & James Robinson (Deputy CISO, Netskope) who have been advisors and mentors of PureID since its inception.  Charles Nasser, […]
Read More...
Overview In our previous research blog Passwords & MFA Melting VPNS we had explained how vulnerabilities in Fortinet VPN are being exploited to harvest user credentials and bypass MFA implementations.  The latest update from The Hacker News – 500K FortiGate VPN user credentials are available for free. Many instances of Fortinet VPN whose credentials are […]
Read More...