0

I have two hardware tokens that generate pseudo-random six-digit codes, for two-factor authentication schemes: an RSA SecurID and a Gemalto. I also have a Yubico key that plugs into the USB bus. Can any of these be used to provide the two-factor authentication that Github will require by the middle of 2021? Can anyone point me to the directions for how to set this up?

I prefer to use one of these devices because I believe that they're more secure than the apps, and, I already own them and use one of them for authentication with AWS.

Thanks for your advice and suggestions.

Kevin Zembower
  • 47
  • 4

1 Answers1

0

First of all, GitHub isn't requiring that users use 2FA, as far as I'm aware. They're requiring that users switch from authenticating to Git using just a plain password to using either an SSH key or a personal access or OAuth token for HTTPS. These are the same requirements as for users that currently have 2FA set up, since plain passwords are not allowed over HTTPS for those users.

However, I do strongly recommend 2FA (as, of course, does GitHub). You can't use a hardware token that generates a six-digit code as far as I'm aware. You can use any WebAuthn device that supports FIDO2, like a YubiKey (which you said you have), Windows Hello, or TouchID, or you can use a TOTP app from your phone.

If you want to set up 2FA, then you can go to https://github.com/settings/security and set up the devices there. There's also a helpful link that points you to the documentation. I've personally set up two YubiKeys and a TOTP app, since the latter is a little easier to deal with in recovery situations.

Note that once you do that, you'll need to use a personal access token instead of your password when using Git over HTTPS. You can follow the directions outlined in the Git FAQ to reset your credential manager and then, when prompted for the password by Git, enter your token. Your username can remain the same.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • thanks so much for your detailed answer. I also agree that I can't see any way of using the six-digit devices. I was convinced that they would work, because the apps all seem to generate six-digit numbers for TOTPs. I suspect that the problem is getting all the device manufacturers to agree to give github their algorithims and seeds. Did you get a Yubikey Standard (older, obsolete model now) to work? That's the one I have, and I can't get it to work. If you could, I'll start another thread on it. Thanks, again. Have a Happy New Year! – Kevin Zembower Jan 04 '21 at 20:40
  • I have a USB Type-C YubiKey. Your YubiKey will need to support WebAuthn for it to work, so I'd check the YubiKey documentation or one of the WebAuthn test sites to be sure it works. – bk2204 Jan 04 '21 at 23:38
  • Hi, @bk2204, yes, your USB-C Yubikey is much newer than my Yubikey Standard. I finally found [this document](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwigw-Pp74TuAhUNjlkKHefIBoIQFjABegQIARAC&url=https%3A%2F%2Fwww.yubico.com%2Fwp-content%2Fuploads%2F2016%2F02%2FYubico_YubiKeyStandardNano_ProductSheet.pdf&usg=AOvVaw0IRAw55uAOzYrbNd7WZOs8), that in the chart on the last page, definitively says that the Standard won't work with Github. I've got a Yubikey 5 NFC on the way to me. If I can't get that to work, I create another thread. Thanks, again.. – Kevin Zembower Jan 05 '21 at 15:14