What Johnny thinks about using two-factor authentication on GitHub: A survey among open-source developers

Warning

This publication doesn't include Institute of Computer Science. It includes Faculty of Informatics. Official publication website can be found on muni.cz.
Authors

KRUŽÍKOVÁ Agáta SUCHÁNEK Jakub BROŽ Milan UKROP Martin MATYÁŠ Václav

Year of publication 2024
Type Article in Proceedings
Conference Proceedings of the 21st International Workshop on Trust, Privacy and Security in the Digital Society
MU Faculty or unit

Faculty of Informatics

Citation
Doi http://dx.doi.org/10.1145/3664476.3670885
Keywords enforcement; GitHub; open-source security; two-factor authentication; usable security
Description Several security issues in open-source projects demonstrate that developer accounts get misused or stolen if weak authentication is used. Many services have started to enforce second-factor authentication (2FA) for their users. This is also the case for GitHub, the largest open-source development platform. We surveyed 110 open-source developers using GitHub to explore how they perceive the importance of authentication on GitHub. Our participants perceived secure authentication as important as other security mechanisms (e.g., commit signing) to improve open-source security. 2FA usage of the project owner was perceived as one of the most important mechanisms. Around half of the participants (51%) were aware of the planned 2FA enforcement on GitHub. Their perception of this enforcement was rather positive. They agreed to enforce 2FA for new devices and new locations, but they were slightly hesitant to use it after some time. They also rather agreed to enforce various user groups on GitHub to use 2FA. Our participants also perceived GitHub authentication methods positively with respect to their usability and security. Most of our participants (68%) reported that they had enabled 2FA on their GitHub accounts.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.

More info