Git Command Line and MFA Security

We’re using GitHub Enterpise Cloud, with Okta for SSO.  

I set up Git for Windows to use a Personal Access Token with SSO Enabled, which ran thru Okta to authenticate the token, which is all working fine.

This PAT now grants access to our repos on my machine, without any future MFA needed, correct?  

Is there any expiration of SSO on a token? 2 weeks?

I’m assuming it’s squirreled away in a very safe space, but if someone where to get a hold of my machine or the PAT, they would not be forced thru MFA in any way??

Some systems offer location based MFA, so that if I work from Florida, but all of a sudden token is used in Utah, it would trigger MFA.  I’m assuming there is no element of security like this?

Obviously if I know the PAT or my computer was compromised I would just regenerate the tokens.

Can anyone shed light on my concerns? However valid or invalid they may be.

Thank you,

-Aaron

Hi @airn5475,

Thank you for being here! As far as I know there is no setting for expiration. We’ve heard similar feedback regarding better SSH key and personal access token management, including the addition of expiry thresholds and configurations, so I’ve added your interest. I can’t say for certain if or when this feature may be implemented, however, I would recommend that you keep an eye on the GitHub Blog and our social media feeds for the latest announcements.

As a workaround, you could implement SSH certificate authorities to manage Git access to your organization’s repositories. For example, you could build an internal system that issues a new certificate to your developers every morning. Each developer can use their daily certificate to work on your organization’s repositories on GitHub and at the end of the day, the certificate can automatically expire. If this is of interest to you, please see the Managing your organization’s SSH certificate authorities article for more information. Additionally, our Blog post announcing SSH certificate authentication may help to provide you with a greater overview of this new feature.

1 Like