April 01, 2015
In the interest of security I’ve started to turn on Two Factor Authentication (aka 2FA) for some of the services I use. I tried it out with GitHub about a year ago, but turned it off shortly thereafter because I encountered a bunch of problems and didn’t have the time to figure them all out. That and Google’s Authenticator app having data loss issues after an update was a big red flag too.
Today it’s a little easier to manage. 1Password has 2FA support built in now, and there’s also Duo Mobile’s app. Turning it on was pretty easy: Go to the security page, click a few buttons, and follow instructions. Once it was enabled I decided to push some changes for a project, and then this happened:
> git push origin master remote: Invalid username or password. fatal: Authentication failed for 'https://github.com/swilliams/my-repo.git/'
Umm, ok. I mean, I guess the most secure repository is one that nobody can access.
The solution isn’t immediately obvious. I looked at GitHub’s setup docs again, but they didn’t mention anything about 2FA. When in doubt, try it again right? This time I got a username/password prompt. I had assumed I would get some sort of additional prompt to enter a single use code for the 2FA, so I pasted in my GitHub password.
> git push origin master Username for 'https://github.com': swilliams Password for 'https://firstname.lastname@example.org': remote: Invalid username or password. fatal: Authentication failed for 'https://github.com/swilliams/my-repo.git/'
Googling around a bit finally brought me to this page, “Creating an access token for command-line use”. When you enable 2FA you need to use a token as your password for the Terminal. I created this with the default scopes provided1, then copy/pasted the resulting token into the password prompt in my Terminal window.
± git push origin master Username for 'https://github.com': swilliams Password for 'https://email@example.com': Counting objects: 80, done. Delta compression using up to 4 threads. Compressing objects: 100% (78/78), done. Writing objects: 100% (80/80), 9.02 KiB | 0 bytes/s, done. Total 80 (delta 58), reused 0 (delta 0) To https://github.com/swilliams/my-repo.git 01efb2c..445a0b6 master -> master
I think that should handle all the headaches for 2FA with GitHub. I like the warm security feeling it brings, and it seems like the user experience has been cleared up too.
For standard git operations, I don't think you would need any of the other scopes available for apps, and you could probably remove
gistfrom it too.
Written by Scott Williams who lives and works in sunny Phoenix, AZ. Twitter is also a place.