GitHub has added two-factor authentication as a new feature, allowing users to secure their accounts with an additional security token from an SMS or mobile app.
The feature will work with HTTPS Git, GitHub for Mac, GitHub for Windows, and GitHub's API.
If the mobile app approach is taken, the additional factor of authentication has been implemented using the same Time-based One-time Password protocol currently employed by companies such as Google, Dropbox, Linode, Amazon Web Services, and Evernote. By aligning itself with this protocol, users are able to add their token alongside their other accounts in a single app rather than install individual apps for each service.
Users that opt not to use a mobile app can still receive tokens via text message.
When using GitHub's API, the additional factor is sent as an "X-GitHub-OTP" header as part of requests. Given that tokens expire quickly, it is typically more convenient for developers to authenticate with OAuth first (also using two-factor authentication).
Similar to Google's two-factor implementation, GitHub also allows users to nominate a fallback mobile phone number if the user loses access to their main phone as well as their account recovery codes.
"We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it," GitHub wrote on its support pages.