Yubi keys no longer available for 2FA? Why? #23623
-
There is a github blog from August 2021, which promotes using Yubi Keys for 2FA.
Securing your GitHub account with two-factor authentication | The GitHub BlogThe benefits of multifactor authentication are widely documented, and there are a number of options for using 2FA on GitHub. Est. reading time: 3 minutes Just tried to enable 2FA on my private github account and it is not offered any more. I checked on my company account, where we activated YubiKeys for a group of developers in summer this year and I can see, that the option “security key” is activated there. We like to have this option for a new developer and now YubiKeys are no longer offered. Our company policy does not allow the usage of personal equipment (smartphone) so Yubi Key was a good and cheap choice. Can anybody explain why this option is no longer available and if it will become available again in the near future? Thank you |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
Hey @anrose00—you can absolutely still add a YubiKey, or other security key device to your account but you’ll need to add an authenticator app or SMS number as your primary method, first:
Configuring two-factor authentication - GitHub Docs |
Beta Was this translation helpful? Give feedback.
-
Thanks for your response. But initially this restriction did not exist. The question is why? Any explanation? |
Beta Was this translation helpful? Give feedback.
-
It’s always been the case that to add a security key, you need an authenticator app or SMS number configured—we haven’t changed anything there. This was true way back when we added support for FIDO U2F in 2015, and now with our support for WebAuthn:
GitHub supports Web Authentication (WebAuthn) for security keysThe WebAuthn standard for security keys is making authentication as easy as possible. Now you can use security keys for second-factor authentication on GitHub with many more browsers and devices. Est. reading time: 2 minutes Removing this requirement and making security keys a primary method of authentication is certainly something we’re thinking about but, for now, keep your app or SMS number nearby. |
Beta Was this translation helpful? Give feedback.
-
A problem is that GitHub’s documentation often doesn’t mention this. The interface is confusing, and the policy is confusing too.
Context here is in regards to second-factor authentication. For instance, I currently don’t have (or want) a phone line. WiFi is everywhere I go. The Authenticator apps I’m familiar with require an SMS channel. It’d sure be nice if GitHub directly supported second-factor security with WebAuthn devices (like Yubikeys, embedded system chips, etc) without a traditional telephone line. There isn’t a foundational technical problem preventing GitHub’s support. And since GitHub generates one-time-use recovery codes, there isn’t really user lockout experience problem with it either. --I have my Google (banks, hosting, etc) accounts secured in this exact manor; their interfaces tend to recommend multiple hardware keys, in addition to recovery codes, but it is unusual in the industry to gate-keep webauthn. Cheers. |
Beta Was this translation helpful? Give feedback.
-
msct:
TOTP 2FA does not, it doesn’t require any network connection at all after initial setup. But I agree that direct WebAuthn would be nice. 🙂 |
Beta Was this translation helpful? Give feedback.
-
That policy will need to be changed slightly probably long term. As the Salesforce roll out of there MFA shows newer 2FA and MFA requirements breakdown for service accounts and automation accounts. In theory Github Actions, Model Ops --anything with Continious Integration should break if its using SMS to connect. The reason I point to the Salesforce roll out, is that it a example of there One Time Password 2FA kind of failed due to confusion of the user base. The lesson learned was that there are not factors options for users for authentication with 2FA. Not every authenticator app was supported. What should be changed – more options for 2FA with Yubi keys not just mobile app, but location. The increase in the number of available authenticator apps and vendors especially those that allow github actions. |
Beta Was this translation helpful? Give feedback.
Hey @anrose00—you can absolutely still add a YubiKey, or other security key device to your account but you’ll need to add an authenticator app or SMS number as your primary method, first:
Configuring two-factor authentication - GitHub Docs