If you watch or read the news, it seems we hear about data breaches happening to large companies on a regular basis. While the company that was directly affected will typically work closely with you to secure your account on their platform, unfortunately that may not be where the story ends.
If you’ve used the internet for any period of time, chances are you’ve amassed a number of accounts across different websites and platforms that require a username and password combo. It can be easy to fall into a habit of using the same username and password on different sites, because keeping track of 72 different combinations would be maddening.
However, that’s exactly what the folks who are behind these data breaches are hoping for. They will take a list of account credentials and use their dark magic to see if they can get some matches on other platforms, including GitHub.
Why Device Verification?
In the past, if your GitHub account did not have two-factor authentication (2FA) enabled, anyone with the correct username and password combo could log in and access your account. If you are a member of any organizations, they could access those as well.
But alas, this story is not about 2FA - though we strongly encourage enabling it. I’m here to discuss Device Verification.
How does Device Verification work?
Device Verification is an added level of security that GitHub has added to all accounts that do not have 2FA enabled. Here’s how it works:
A person enters the correct username (or email address) and password combination.
If the login is coming from an unrecognized device*, GitHub sends an email with an authentication code to the designated email address(es) associated with the account.
If the authentication code is a match, the login will be successful, and we will remember the device and IP address for a period of time so that you won’t need to repeat those steps the next time you log in.
These simple verification steps can prevent unauthorized access to your GitHub account with a minimum inconvenience to you.
When will I be asked to verify my device?
Notice there’s an * next to “unrecognized device” in item #2 above. These fall into a couple of categories:
This could be you, logging in from a different IP address on a different computer, different browser, an iPad, etc. (We do look at IP history and give you a pass if it’s one you’ve used in recent history.)
If you clear your cookies often and are logging in from a different IP address, you’ve wiped our memory of your device and will be asked once again to verify. If this is part of your regular routine, we would highly recommend enabling 2FA to bypass Device Verification.
This could also be someone across the globe who has happened on your username and password combo on a different site and gives it a whirl on GitHub.com. Luckily, we’ve sent a device verification code to your email address and, provided they don’t also have access to your email account, they will not be able to log into your GitHub account.
We’ve heard from some folks who are suddenly receiving tens or even hundreds of device verification messages that they did not initiate. This happens when the feature is doing its job to protect your account. If you find yourself suddenly receiving any device verification messages that you did not initiate, we strongly encourage you to first change your password, and then also enable 2FA on your account.
What can I do to ensure I don’t get locked out of my account?
The biggest pain point that we’ve run into with Device Verification is how often folks have found themselves locked out of their accounts because the email address on file for the account is no longer valid. Perhaps it’s a deprecated university email address, an email address from an old job, or that moldy AOL address you finally got rid of.
If you’re reading this and currently have access to your GitHub account, I implore you to go check to ensure your email address is current. Maybe add a valid backup while you’re there, too.
If you’re reading this because you’ve found yourself locked out of your GitHub account due to device verification, no need to panic, we will be happy to help. Simply drop us a line and we’ll take a closer look to see if we might be able to temporarily, manually verify your device.
If you’re reading this and have decided that you absolutely hate the idea of Device Verification, we’ll be happy to help you set up two-factor authentication (and also add some fallbacks!) on your account so that you may bypass this experience altogether.
Conclusion
Device Verification is a simple step we’ve added to help ensure your GitHub account remains safe. However, it does not take the place of a strong, unique password. If you want to take it one step further, enable 2FA on your account.
Additional Resources
- Creating a strong password: A strong, unique password is your first defense in account security.
- Enabling 2FA: Two factor authentication takes account security to the next level.
- Have I Been Pwned: A useful resource for checking whether one or more of your email addresses has been involved in a credentials breach