335 total views
2021-05-12 19:43:26
GitHub has officially added support for enhanced security of SSH Git operations by using the FIDO2 security key, thereby enhancing protection against these trending user account hijacking attempts. become more sophisticated and complex.
Previously, researchers at North Carolina State University (NCSU) had found more than 100,000 GitHub repositories (repositories) leaked API tokens and cryptographic keys (SSH and TLS). Noteworthy, this result comes after researchers have scanned about 13% of GitHub’s public repository for almost six months.
Worse yet, they also discover that thousands of new archives are quietly leaked every day.
With GitHub’s new added security feature, you can now use your mobile FIDO2 device for SSH authentication to enhance the security of Git operations, as well as prevent inadvertent attempts to expose your private key and requests to initiate malware without your consent.
“Once created, these new security keys can be added to your account just like any other SSH key.”, Said Kevin Jones, Senior Security Engineer at GitHub. “You will still generate a public and private key pair, but the secret bits will be generated and stored in the secure key, with the public part stored on your machine just like any other public SSH key.“.
While the private key will be stored on your local computer, this will be just a reference to the useless physical security key without access to the actual device.
To further increase your ability to recover your GitHub account from malicious acts, you should replace all previously registered SSH keys with SSH keys supported by a security key. This ensures that you are the only one who can manage the project’s Git data over SSH, while the FIDO2 security key is in your control.
Using only SSH keys supported by FIDO2 devices means you won’t have to keep track of all the SSH keys you create, as they will be completely useless without access to the security key. is paired.
Additionally, GitHub will also automatically remove any inactive (idle for more than a year) SSH keys from your account. Thus, key management is significantly easier if you are working on multiple devices, or you lose one of them.
To move to the new SSH Git process, you need to log into your GitHub account, generate a new SSH key for the hardware security key, then add that key to your account.
Starting August 2021, Github will switch to token-based authentication, at which point, validating Git operations with the account password will no longer be accepted.
.
#GitHub #adds #security #key #support #Git #SSH
