More Info:

Ensures multi-factor authentication is enabled for the default user account. GitHub MFA provides additional account security by requiring an additional login device or code. All accounts should have MFA enabled.

Risk Level

High

Address

Security

Compliance Standards

Remediation

Using Console

To remediate the misconfiguration of not having Two Factor Authentication enabled for GitHub using the GitHub console, follow these steps:
  1. Log in to your GitHub account using your credentials.
  2. Click on your profile picture in the top right corner and select “Settings” from the dropdown menu.
  3. In the left-hand menu, click on “Security” and then scroll down to the “Two-factor authentication” section.
  4. Click on the “Set up two-factor authentication” button.
  5. Select the authentication method you would like to use (SMS or an authentication app) and follow the prompts to set it up.
  6. Once you have set up two-factor authentication, you will see a green checkmark next to “Two-factor authentication” in the Security section of your GitHub settings.
Congratulations, you have successfully remediated the misconfiguration of not having Two Factor Authentication enabled for GitHub using the GitHub console.

Using CLI

To remediate the misconfiguration of not having two-factor authentication enabled for GitHub using GitHub CLI, follow these steps:
  1. Install the GitHub CLI on your local machine.
  2. Open your terminal and run the command gh auth login to authenticate with your GitHub account.
  3. Once you are authenticated, run the command gh auth status to confirm that you are logged in.
  4. Next, run the command gh auth 2fa status to check the status of your two-factor authentication.
  5. If two-factor authentication is not enabled, run the command gh auth 2fa enable to enable it.
  6. Follow the prompts to set up two-factor authentication for your GitHub account.
  7. Once two-factor authentication is enabled, run the command gh auth 2fa status again to confirm that it is enabled.
By following these steps, you will have successfully remediated the misconfiguration of not having two-factor authentication enabled for GitHub using GitHub CLI.

Using Python

To remediate the misconfiguration of not having two-factor authentication enabled for GitHub, you can use the PyGithub library in Python to programmatically enable two-factor authentication for the GitHub user account. Here are the steps to follow:
  1. Install the PyGithub library using pip:
pip install PyGithub
  1. Import the necessary modules:
from github import Github
from github import InputGitAuthentication
  1. Create an instance of the Github class and authenticate with a personal access token:
g = Github("personal_access_token")
  1. Get the authenticated user:
user = g.get_user()
  1. Check if two-factor authentication is enabled:
if not user.has_two_factor_authentication():
    # enable two-factor authentication
  1. If two-factor authentication is not enabled, create a new personal access token with the “admin:org” scope:
auth = InputGitAuthentication("username", "password")
token = user.create_token(scopes=["admin:org"])
  1. Create a new OTP (one-time password) device:
user.create_two_factor_authentication()
  1. Get the OTP secret:
secret = user.get_otp_secret()
  1. Prompt the user to scan the QR code with their mobile device:
print("Scan this QR code with your mobile device:")
print(user.get_otp_qr_code())
  1. Prompt the user to enter the current OTP code:
otp = input("Enter the current OTP code:")
  1. Verify the OTP code:
if user.verify_otp(otp):
    # two-factor authentication is enabled
else:
    # OTP code is incorrect
  1. Commit the changes to the user’s account:
user.edit(two_factor_authentication=True)
By following these steps, you will be able to programmatically enable two-factor authentication for a GitHub user account using Python and the PyGithub library.

Additional Reading: