Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
GitHub Prepares to Move Beyond Passwords
#1
Information 
Quote:GitHub, the ubiquitous host for software development and version control (and unfortunate target of a steady pitter-patter of attacks targeting the same), is now supporting security keys when using Git over SSH.
 
In a post on Monday, GitHub security engineer Kevin Jones said that this is the next step when it comes to increasing security and usability. These portable FIDO2 fobs are used for SSH authentication to secure Git operations and to forestall the misery that unfurls when private keys accidentally get lost or pilfered, or when malware tries to initiate requests without user approval. Just one example: In 2019, the TrickBot info-stealing malware got a makeover that enabled its password grabber to target data from OpenSSH applications.
 
These security keys, which include YubiKey, Thetis Fido U2F Security Key and Google Titan Security Keys, are easy to pop into your pocket and cart around between machines, with most connecting via USB, NFC or Bluetooth. They provide an alternative to the one-time passwords provided by applications or sent via SMS. As it is, SMS SSH codes sent via text can be and have been intercepted.
 
In contrast, as Jones pointed out, much of the data on a security key is protected from external access and modification, meaning that the key keeps its secrets tucked away and out of reach. While the devices store a private key on your computer, those on-computer keys are simply a reference to the physical security key: in other words, they’re useless to anybody who doesn’t have the actual device in hand.
 
Given that the keys are one of the factors in multi-factor authentication (MFA), users should safeguard the devices just like they would any other credential. If you’re the only one who can get at your security key, you can, in fact, leave it plugged in. “When using SSH with a security key, none of the sensitive information ever leaves the physical security key device,” Jones added. “If you’re the only person with physical access to your security key, it’s safe to leave plugged in at all times.”
 
Neither malware nor accidental private-key exposure can give away your credentials when you use a security key, he said: “As long as you retain access to the security key, you can be confident that it can’t be used by anyone else for any other purpose.”

Read more: GitHub Prepares to Move Beyond Passwords | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>