GitHub urges its user base to toggle on two-factor authentication (2FA) after deprecating password-based authentication for Git operations.
“If you have not done so already, please take this moment to enable 2FA for your GitHub account,” the company’s Chief Security Officer Mike Hanley said.
“The benefits of multifactor authentication are widely documented and protect against a wide range of attacks, such as phishing.”
Hanley recommends using one of several 2FA options available on GitHub, including physical security keys, virtual security keys built into devices such as phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps.
While SMS-based 2FA is also available, GitHub urges users to choose security keys or TOTPs wherever possible since SMS is less secure given that threat actors can bypass or steal SMS 2FA auth tokens.
GitHub also provides a step-by-step video guide on how you can enable your security key for SSH keys and Git commit verification.