Should Authentication Be Required for All Activities (Read, Write, Delete)

Token authentication requirements for Git operations

In July 2020, we announced our intent to require the use of token-based hallmark (for example, a personal access, OAuth, or GitHub App installation token) for all authenticated Git operations.…

In July 2020, nosotros announced our intent to require the use of token-based authentication (for example, a personal admission, OAuth, or GitHub App installation token) for all authenticated Git operations. Showtime August 13, 2021, we volition no longer have account passwords when authenticating Git operations on GitHub.com.

Workflows affected

• Command line Git admission
• Desktop applications using Git (GitHub Desktop is unaffected)
• Any apps/services that admission Git repositories on GitHub.com direct using your countersign

The post-obit customers remain unaffected by this change:

• If you accept 2-factor authentication enabled for your account, you are already required to employ token- or SSH-based authentication.
• If you lot employ GitHub Enterprise Server, we accept non appear whatsoever changes to our on-premises offering.
• If y'all maintain a GitHub App, GitHub Apps do not back up password authentication.

Background

We described our motivation as we announced similar changes to authenticating with the API as follows:

In recent years, GitHub customers have benefited from a number of security enhancements to GitHub.com, such as two-factor hallmark, sign-in alerts, verified devices, preventing the utilise of compromised passwords, and WebAuthn back up. These features brand it more than difficult for an attacker to take a password that's been reused beyond multiple websites and utilize information technology to try to proceeds access to your GitHub account. Despite these improvements, for historical reasons customers without two-factor authentication enabled accept been able to keep to authenticate Git and API operations using just their GitHub username and password.

Offset August xiii, 2021, nosotros will no longer accept account passwords when authenticating Git operations and will require the utilize of token-based authentication, such as a personal access token (for developers) or an OAuth or GitHub App installation token (for integrators) for all authenticated Git operations on GitHub.com. Y'all may likewise continue using SSH keys where you prefer.

Tokens offer a number of security benefits over password-based authentication:

1. Unique – tokens are specific to GitHub and tin can be generated per utilize or per device
2. Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
3. Limited – tokens can exist narrowly scoped to allow only the access necessary for the utilise case
4. Random – tokens are not bailiwick to the types of dictionary or brute force attempts that simpler passwords that you need to recall or enter regularly might be

What you lot demand to exercise today

• For developers, if you are using a password to authenticate Git operations with GitHub.com today, you lot must brainstorm using a personal access token over HTTPS (recommended) or SSH key by Baronial thirteen, 2021, to avoid disruption. If you receive a warning that you are using an outdated third-party integration, yous should update your customer to the latest version.
• For integrators, you must authenticate integrations using the web or device authorization flows past August 13, 2021, to avoid disruption. For more data, see Authorizing OAuth Apps and the announcement on the developer blog.

Enabling ii-factor authentication

If you would like to ensure that your account does non allow countersign-based hallmark, you tin can enable two-factor authentication for your business relationship today. This will require you lot to use a personal access token for all authenticated operations via Git and third-party integrations.

Brownouts

To ensure all affected customers are aware of the authentication alter, during two scheduled brownouts, we will temporarily disable support for countersign authentication, and Git operations made using a password volition temporarily fail. The brownouts are scheduled for the following dates and times:

June 30, 2021

• From 7:00 AM UTC – 10:00 AM UTC
• From four:00 PM UTC – 7:00 PM UTC

July 28, 2021

• From seven:00 AM UTC – 10:00 AM UTC
• From iv:00 PM UTC – seven:00 PM UTC

Timeline

• Today – If you lot are using passwords to authenticate Git operations with GitHub.com today, you will presently receive an e-mail urging you to update your authentication method or tertiary-party customer.
• June 30 and July 28, 2021 – Token (or SSH key) authentication will be temporarily required for all Git operations to encourage affected customers to update their hallmark method (encounter below).
• August 13, 2021 – Token (or SSH key) hallmark volition be required for all authenticated Git operations.

If you lot have whatsoever questions, please see the related API countersign authentication web log post, learn more than nigh keeping your business relationship secure, or contact GitHub Support. Need a security key? Head over to the GitHub Store.

baierpusting.blogspot.com

Source: https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/

Share this post