When it comes to making the sign in process more secure than it is by default, 2-factor authentication seems to be the way to go for many Internet companies. This adds another layer of authentication to the login process meaning that users have to enter their username and password, and a secret code in the second step, to complete the sign in.
Attackers who manage to steal a user's login information, username and password, for instance through the use of phishing, trojans or a server database dump and decryption of passwords, cannot do anything with just that data, as they do need to get hold of the second key as well.
This key gets generated anew whenever it is requested so that a time-factor is added to the process to prevent old generated codes from working.
GitHub, one of the latest software project hosting web services in the world, has just launched 2-factor login authentication for all user accounts. It is an optional feature that users need to enable before they can make use of it.
GitHub Two-Factor Authentication in detail
GitHub's Two-Factor Authentication works either by SMS or by two-factor applications such as Google Authenticator for Android, iPhone or BlackBerry, or Authenticator for Windows Phone.
A code will be delivered to a linked mobile device via SMS, or generated in the selected application after it has been authorized to generate codes for the GitHub login process.
To set it up, users need to open the account settings page on the website and select Set up two-factor authentication on it.
The option to set it up through a text message or through an app is provided here and it is up to the user to select the preferred method. Both methods provide the same level of security and require that you have access to a mobile phone.
If you select the cell phone method, include the country code, area code and mobile phone number in the form and notice that carrier rates may apply.
GitHub will send a test code to the device which you need to enter on the Two-Factor Authentication page to verify that everything is working correctly so that the feature can be enabled.
If you prefer to use a mobile application, install it on your system first. You then need to scan the QR-Code that GitHub displays to you using the application or enter the security code displayed on that page manually instead.
Use one of the newly generated codes to enable two-factor authentication on GitHub.
GitHub provides users who enable two-factor login authentication on the site with recovery codes. These codes can be used to gain access to the account if the phone is not in reach or not available anymore.
It is furthermore possible to set a fallback SMS number, preferably from a different phone which you can use to regain access to an account even if the primary phone and recovery codes are not available anymore.