11 June 2014

If you are using github, please make sure you use 2fa - Two factor authorisation. You should be using it for your google and other accounts too.

Your simple passwords may be good, but they can be leaked, cracked and broken in other ways. Heartbleed and other recent things have made us all to aware of how easy that can be.

This is a way to make your accounts more secure.

What is it?

In combination with the password, a mobile app, or SMS message can be used to authorize the computer you have used to access github. If it is a new one, or one you’ve not used in a while, it will require you to enter a code.

The code is based on a secret key that you get from github, and then a one time password number is generated that you type back in. This is identical to the system used for google, and can even share the same google auth app.

How

I recommend githubs own help system for this:

Configuring two-factor authentication via a TOTP mobile app · GitHub Help

I used google authenticator along with google goggles to scan the QR code from the screen.

Weaknesses

If your mobile phone is in possession of someone wanting access to your account, they will be able to bypass this. If they are able to get your recovery codes, they will also be able to bypass it.



blog comments powered by Disqus