Advent Day 4: 2FA and Git Credential Manager
This is day 4 of my Git Tips and Tricks Advent Calendar. If you want to see the whole list of tips as they're published, see the index.
You're using two-factor authentication (2FA), right? Right!? This simple change can increase your security - and the security of your source code - with very little effort. When you enable it, instead of logging in with just your username and password, you'll now also need to enter a 6 digit key from an app on your phone.
This means that if somebody gets your password - whether that's through a website breach, a sophisticated phishing attack, or a much less sophisticated look over your shoulder as you type - then 2FA can help protect you. Now if somebody gets your password, they still need to get your phone, too, to enter that 6 digit key.
2FA is so important that it's actually a requirement at most employers - at Microsoft, not only do I have to enable 2FA on my Microsoft account, but I even have to enable 2FA on third-party accounts like GitHub (before we bought them).
The problem, though, is that while 2FA works great in a website, tools like Git on the command-line don't have support for it. And the workaround is to create a "personal access token", a long, random string that you can use instead of your username and password (without needing 2FA). But being long and random means that it's hard to remember.
Thankfully, there's a tool called the Git Credential Manager. The Git
Credential Manager plugs in as a git credential helper, and it will
take care of all of the creation of personal access token for you.
When you run git clone
on the command line, git will launch the
Git Credential Manager, which will open a dialog for you to authenticate,
and provide your 2FA information, and then create that personal access
token for you. That token will be stored in a secure vault in your
operating system (like the Windows Credential Manager) so that the next
time you run git to fetch or push, GCM can just use the PAT.
Git Credential Manager supports GitHub, Bitbucket and Azure Repos, and there are varieties for both Windows and Mac and Linux systems. Even better, it comes included with Git for Windows so that it's simple to get started.
It's easy to get started with 2FA thanks to Git Credential Manager, so I'd encourage you enable it on your Git repository hosting provider - and, really, all your other websites while you're at it.