Improve security posture with Two-Factor Authentication
There is an increasing amount of leaked credentials and there are known cases of password reuse. Often this leads to compromised logins and accounts.
Services like Have I Been Pwned and Identity Leak Checker by Hasso Plattner Institute can be used to check if the known leaked credentials affect you.
Hijacked and hacked accounts of developers (npmjs, GitHub, GitLab, ...) can have huge consequences:
- supply-chain attacks
- access to internal and proprietary code
- delivery of malware / malicious releases
- company-wide compromise
- ...
To lower these risks, you can enable and enforce 2FA (Two-Factor Authentication) with a few simple steps.
Please keep in mind to follow at least these rules:
- do not use SMS-based 2FA (to mitigate SIM-swapping attacks and more)
- do not use closed-source authenticator apps on your smartphone (if possible, they are harder to audit for vulnerabilities)
- do not use push-based 2FA if possible (to prevent push notification bombing attacks)
- do not use Cloud-based 2FA solutions (you don't know how secure your secrets there are)
- do not use biometric details (these are not secure and not secret, and can not be changed)
- create an encrypted backup of your 2FA secrets
- prefer an open-source solution like Aegis as 2FA token generator and set a secure password for the secrets
- use a separate device for 2FA (not the same where the login is done)
- if possible prefer a hardware-based solution (instead of an app) like YubiKey by Yubico (use two, to have one extra as backup)
Many platforms support multiple 2FA methods at once so that you still have access with another option if one of them fails.
The following links will help you to setup and enforce 2FA for different platforms:
npmjs:
- https://docs.npmjs.com/configuring-two-factor-authentication
- https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification
- https://docs.npmjs.com/requiring-two-factor-authentication-in-your-organization
GitHub:
- https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
GitLab:
- https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html
- https://docs.gitlab.com/ee/security/two_factor_authentication.html
These are just a few of the many platforms, that support 2FA. Please check, if you can set up 2FA for more accounts to reduce the overall risk of compromised logins and the damages caused by leaked credentials.
An overview of websites and services that support 2FA can be found at https://2fa.directory/.