What Johnny thinks about using two-factor authentication on GitHub: A survey among open-source developers
Authors: 
Agata Kruzikova, Jakub Suchanek, Milan Broz, 
Martin Ukrop, Vashek MatyasAuthors Info & Claims
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 185, Pages 1 - 11
Abstract
Several security issues in open-source projects demonstrate that developer accounts get misused or stolen if weak authentication is used. Many services have started to enforce second-factor authentication (2FA) for their users. This is also the case for GitHub, the largest open-source development platform. We surveyed 110 open-source developers using GitHub to explore how they perceive the importance of authentication on GitHub. Our participants perceived secure authentication as important as other security mechanisms (e.g., commit signing) to improve open-source security. 2FA usage of the project owner was perceived as one of the most important mechanisms. Around half of the participants (51%) were aware of the planned 2FA enforcement on GitHub. Their perception of this enforcement was rather positive. They agreed to enforce 2FA for new devices and new locations, but they were slightly hesitant to use it after some time. They also rather agreed to enforce various user groups on GitHub to use 2FA. Our participants also perceived GitHub authentication methods positively with respect to their usability and security. Most of our participants (68%) reported that they had enabled 2FA on their GitHub accounts.
References
[1]
Jacob Abbott and Sameer Patil. 2020. How Mandatory Second Factor Affects the Authentication User Experience. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI ’20). ACM, New York, NY, USA, 1–13. https://doi.org/10.1145/3313831.3376457
[2]
Andrew Akers. 2022. A Popular npm Library Compromised in a Supply Chain Attack: What to Do. Retrieved November 29, 2023 from https://blog.aquasec.com/npm-library-supply-chain-attack
[3]
Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Alexander Krause, Lucy Simko, Yasemin Acar, and Sascha Fahl. 2023. “We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. In Conference on Computer and Communications Security (CCS ’23),. ACM, Copenhagen Denmark.
[4]
Sabrina Amft, Sandra Höltervennhoff, Rebecca Panskus, Karola Marky, and Sascha Fahl. 2024. Everyone for Themselves? A Qualitative Study about Individual Security Setups of Open Source Software Contributors. https://saschafahl.de/publications/ Personal website of Sascha Fahl.
[5]
OpenSSF blog. 2022. OpenSSF Supports Movements toward Multi-Factor Authentication. Retrieved November 29, 2023 from https://openssf.org/blog/2022/07/20/openssf-supports-movements-toward-multi-factor-authentication/
[6]
CISA.gov. 2022. Free Cybersecurity Services and Tools. Retrieved November 29, 2023 from https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools
[7]
CISA.gov. 2023. Open Source Software Security. Retrieved November 29, 2023 from https://www.cisa.gov/opensource
[8]
Thomas Claburn. 2022. Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point. Retrieved November 29, 2023 from https://www.theregister.com/2022/05/10/security_npm_email
[9]
Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas Christin. 2018. “It’s Not Actually That Horrible”: Exploring Adoption of Two-Factor Authentication at a University. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems(CHI ’18). ACM, New York, NY, USA, 1–11. https://doi.org/10.1145/3173574.3174030
[10]
European Commission. 2020. Open source software strategy 2020-2023. Retrieved November 29, 2023 from https://commission.europa.eu/about-european-commission/departments-and-executive-agencies/digital-services/open-source-software-strategy_en
[11]
European Commission, Content Directorate-General for Communications Networks, Technology, K Blind, S Pätsch, S Muto, M Böhm, T Schubert, P Grzegorzewska, and A Katz. 2021. The impact of open source software and hardware on technological independence, competitiveness and innovation in the EU economy – Final study report. Publications Office, Brussels. https://doi.org/10.2759/430161
[12]
Sanchari Das, Andrew Kim, Shrirang Mare, Joshua Streiff, and L. Jean Camp. 2019. Security Mandates are Pervasive: An Inter-School Study on Analyzing User Authentication Behavior. In 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC). IEEE, Los Angeles, CA, USA, 306–313. https://doi.org/10.1109/CIC48465.2019.00043
[13]
Sanchari Das, Bing xing Wang, Andrew Kim, and L. Jean Camp. 2020. MFA is A Necessary Chore!: Exploring User Mental Models of Multi-Factor Authentication Technologies. In Hawaii International Conference on System Sciences. HICSS, Maui, Hawaii, 5441–5450. https://api.semanticscholar.org/CorpusID:211533521
[14]
Jonathan Dutson, Danny Allen, Dennis Eggett, and Kent Seamons. 2019. Don’t Punish all of us: Measuring User Attitudes about Two-Factor Authentication. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, Stockholm, Sweden, 119–128. https://doi.org/10.1109/EuroSPW.2019.00020
[15]
Felix Fischer, Jonas Höbenreich, and Jens Grossklags. 2023. The Effectiveness of Security Interventions on GitHub. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (Copenhagen, Denmark) (CCS ’23). ACM, New York, NY, USA, 2426–2440. https://doi.org/10.1145/3576915.3623174
[16]
The Linux Foundation. 2022. What You Need to Know About the US Federal Government’s RFI on Open Source Software Security. Retrieved November 29, 2023 from https://www.linuxfoundation.org/blog/what-you-need-to-know-about-the-us-federal-governments-rfi-on-open-source-software-security
[17]
Matan Gilad and Gil David. 2024. Over 100,000 Infected Repos Found on GitHub. https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/. Accessed: 2024-03-18.
[18]
GitHub. 2022. Top-100 npm package maintainers now require 2FA, and additional security-focused improvements to npm. Retrieved December 1, 2023 from https://github.blog/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security
[19]
GitHub. 2023. About mandatory two-factor authentication. Retrieved December 1, 2023 from https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-mandatory-two-factor-authentication
[20]
GitHub. 2023. Access permissions on GitHub. Retrieved December 5, 2023 from https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github
[21]
GitHub. 2023. Configuring two-factor authentication. Retrieved December 1, 2023 from https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication
[22]
GitHub. 2023. GitHub Innovation Graph Data. Retrieved December 1, 2023 from https://github.com/github/innovationgraph/blob/main/data/developers.csv
[23]
OpenSSF Best Practices Working Group. 2022. Concise Guide for Developing More Secure Software. Retrieved November 29, 2023 from https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software
[24]
Mike Hanley. 2022. Software security starts with the developer: Securing developer accounts with 2FA. Retrieved December 1, 2023 from https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/
[25]
Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. “...No one Can Hack My Mind”: Comparing Expert and Non-Expert Security Practices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, 327–346.
[26]
Markus Keil, Philipp Markert, and Markus Dürmuth. 2022. “It’s Just a Lot of Prerequisites”: A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. In Proceedings of the 2022 European Symposium on Usable Security (Karlsruhe, Germany) (EuroUSEC ’22). Association for Computing Machinery, New York, NY, USA, 172–188. https://doi.org/10.1145/3549015.3554208
[27]
Jan Klemmer, Marco Gutfleisch, Christian Stransky, Yasemin Acar, Angela Sasse, and Sascha Fahl. 2023. "Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication. In CCS ’23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 2740–2754. https://doi.org/10.1145/3576915.3623072
[28]
Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and Angela Sasse. 2015. "They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking. https://doi.org/10.14722/usec.2015.23001
[29]
Agata Kruzikova, Vashek Matyas, and Milan Broz. 2023. Authentication of IT Professionals in the Wild – A Survey. In Security Protocols XXVIII, Frank Stajano, Vashek Matyáš, Bruce Christianson, and Jonathan Anderson (Eds.). Springer Nature Switzerland, Cham, 43–56.
[30]
Siqi Ma, Runhan Feng, Juanru Li, Yang Liu, Surya Nepal, Diethelm, Elisa Bertino, Robert H. Deng, Zhuo Ma, and Sanjay Jha. 2019. An Empirical Study of SMS One-Time Password Authentication in Android Apps. In Proceedings of the 35th Annual Computer Security Applications Conference (San Juan, Puerto Rico, USA) (ACSAC ’19). ACM, New York, NY, USA, 339–354. https://doi.org/10.1145/3359789.3359828
[31]
Karola Marky, Kirill Ragozin, George Chernyshov, Andrii Matviienko, Martin Schmitz, Max Mühlhäuser, Chloe Eghtebas, and Kai Kunze. 2022. “Nah, It’s Just Annoying!” A Deep Dive into User Perceptions of Two-Factor Authentication. ACM Trans. Comput.-Hum. Interact. 29, 5, Article 43 (oct 2022), 32 pages. https://doi.org/10.1145/3503514
[32]
Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). ACM, New York, NY, USA, 311–328. https://doi.org/10.1145/3133956.3134082
[33]
GitHub Octoverse. 2019. The State of Octoverse. Retrieved December 5, 2023 from https://octoverse.github.com/2019/#overview
[34]
Stack Overflow. 2023. Stack Overflow Developer Survey 2023. Retrieved December 1, 2023 from https://survey.stackoverflow.co/2023/
[35]
Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA, 357–370.
[36]
Python Security. 2022. Account Takeover and Malicious Replacement of ctx Project. Retrieved November 29, 2023 from https://python-security.readthedocs.io/pypi-vuln/index-2022-05-24-ctx-domain-takeover.html
[37]
Elizabeth Stobert and Robert Biddle. 2016. Expert Password Management. In Technology and Practice of Passwords. Springer International Publishing, Cham, 3–20.
[38]
Liran Tal. 2022. NPM security: preventing supply chain attacks. Retrieved November 29, 2023 from https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/
[39]
Nik Thompson, Tanya Jane McGill, and Xuequn Wang. 2017. “Security begins at home”: Determinants of home computer and mobile device security behavior. Computers & Security 70 (2017), 376–391. https://doi.org/10.1016/j.cose.2017.07.003
[40]
Martin Ukrop, Lydia Kraus, and Vashek Matyas. 2020. Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version). Digital Threats 1, 4, Article 25 (dec 2020), 29 pages. https://doi.org/10.1145/3419472
[41]
Jake Weidman and Jens Grossklags. 2017. I Like It, but I Hate It: Employee Perceptions Towards an Institutional Transition to BYOD Second-Factor Authentication. In Proceedings of the 33rd Annual Computer Security Applications Conference (Orlando, FL, USA) (ACSAC 2017). ACM, New York, NY, USA, 212–224. https://doi.org/10.1145/3134600.3134629
Index Terms
- What Johnny thinks about using two-factor authentication on GitHub: A survey among open-source developers
Recommendations
Evaluating Open Source IoT Platforms: A GitHub Analysis
SERP4IoT '24: Proceedings of the ACM/IEEE 6th International Workshop on Software Engineering Research & Practices for the Internet of ThingsInternet of Things (IoT) platforms have emerged as key enablers for connected device deployment, providing core infrastructure capabilities that can be customized and extended. As IoT adoption continues accelerating across domains, understanding the ...
Cue-based two factor authentication
AbstractWith the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can ...
Two-factor mutual authentication based on smart cards and passwords
One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-NoDerivatives International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 156Total Downloads
- Downloads (Last 12 months)156
- Downloads (Last 6 weeks)28
Reflects downloads up to 16 Feb 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in