Today at its first user conference, GitHub Universe, GitHub announced that it’s launching support for FIDO Universal 2nd Factor (U2F) security keys from companies like Yubico and others. These physical USB keys automatically generate a second-factor code for you when you plug them in, so you no longer have to enter a six-digit code from Google Authenticator, Authy and similar apps.
Two-factor authentication makes it very hard for attackers to launch a phishing or man-in-the-middle attack against you, but they can’t completely eradicate this threat either. Using a U2F security key adds another layer of protection, because the key won’t exchange information with any other site but the one you already authorized when you first set it up. This only works with Google Chrome, though, because other browsers don’t feature built-in U2F support yet.
GitHub already supported two-factor authentication through apps like Authenticator and over SMS. The company’s VP of security Shawn Davenport told me that about 300,000 of GitHub’s 11 million users currently use two-factor authentication. To increase this number — and jumpstart the adoption of security keys on GitHub — the company has partnered with Yubico, and it’s allowing the first 5,000 buyers to purchase keys for $5 and is offering a 20 percent discount for those who miss the cutoff.
Davenport also told me that the company started to run into a number of issues with supporting two-factor authentication lately. Sending SMS internationally, for example, is still somewhat unreliable. Users also often upgrade their phones and then forget to transfer their security tokens between phones, so the authenticator apps don’t work.
Yubico CEO and founder Stina Ehrensvard noted that GitHub is now her company’s third major partner for getting U2F keys into the market. The first were Google and Dropbox. As she told me, the company is seeing “good momentum” from these partnerships. She argues that what’s missing right now for even wider adoption, though, is support from other browser vendors. Yubico is talking to Mozilla and Microsoft, but “they are not moving very fast,” Ehrensvard told me.