View Other Checks

Contents

View Other Checks

How to Find and Secure Plain-Text GitHub 2FA Backup Codes

Github Two-Factor backup codes are as good as real passwords. It's important that they are secured.

What Are GitHub Two-Factor Backup Codes?

When setting up two-factor authentication, a user is typically asked to save a series of codes which can be used to access the system in the event they lose access to their authenticator app (like when they get a new phone).

Unfortunately, people often tend to simply save these codes to their Downloads folder and forget about them. This is not just bad for compliance, but creates opportunities for a motivated attacker to circumvent many of the benefits of a two-factor authentication system. Combine this bad habit with another issue, like a lost device without full disk encryption, or someone syncing their Downloads folder to a service like Dropbox, you now have the potential for a serious incident.

How Does an Unsecure 2FA Code End Up on Disk?

Two-factor recovery codes can be generated by going to the GitHub Settings / Auth / Recovery Codes page.

From there, you are offered a number of choices, including the option to download the codes to a plain-text file as shown in the screenshot below:

The GitHub Two-factor Recovery Codes Page

An un-encrypted 2FA Backup Code file in the user’s Downloads folder.

How Do I Find GitHub 2FA Codes on My Devices?

It can be tricky to locate these files accurately, especially since they can potentially be located anywhere on the device.

On macOS, one reliable method is to use Spotlight Search to look up files by the URL where the user obtained them. For example, we know that users can download backup codes from the following URLs:

  • https://github.com/settings/recovery/download
  • https://github.com/settings/two_factor_authentication/recovery_codes
  • https://github.com/settings/auth/recovery-codes
  • https://github.com/settings/auth/recovery-codes/download

Using this information, we can construct a macOS Spotlight search in the terminal using the utility mdfind.

mdfind \
"kMDItemWhereFroms = 'https://github.com/settings/recovery/download' ||
kMDItemWhereFroms = 'https://github.com/settings/two_factor_authentication/recovery_codes' ||
kMDItemWhereFroms = 'https://github.com/settings/auth/recovery-codes' ||
kMDItemWhereFroms = 'https://github.com/settings/auth/recovery-codes/download'"

If any files are present on the system, they will output to stdout. On Windows and Linux, finding files this way is not possible. Another approach can be to tap into the download history maintained by the various web browsers which often contains the origin URL of the download.

How Does Kolide’s Detection Work?

Kolide extends osquery with its endpoint agent to help locate these files across Mac, Windows, and Linux devices using on-device detection, that doesn’t require reading the contents of files or sending private information like your user’s browser history to Kolide.

For example, on macOS, Kolide is able to use osquery, to leverage Spotlight, to find files based on the text inside the file.

On Windows and Linux Kolide can use osquery’s file table in conjunction with automatically constructed tables based on the various web browsers’ download histories.

When used together, this approach allows for near perfect accuracy even if the file was moved or renamed, while preserving privacy (all detection is done on the client).

How Does Kolide Remediate This Problem?

This problem cannot be remediated through traditional automation with tools like an MDM. You need to be able to reach out to users who have devices that fail this check, and then give them precise instructions on how to resolve the problem.

Kolide's Slack app does exactly that. After enrolling devices, Kolide will automatically determine the primary user, introduce itself, and then reach out via Slack when a user's device fails this check. From there, it provides step-by-step instructions on how to fix it and gives them tools to verify they did it correctly.

Kolide
Home
Messages
About
9:41
Quin's Macbook • MacBook Pro (16-inch, 2021)
Failing Check: Ensure No Github 2FA Codes Stored in Plain-Text
Reason: Plain-text Github 2FA Recovery Codes Detected

Why is this a Problem?

These 2FA Backup codes could be used by an attacker to subvert 2 Factor authentication for your GitHub account resulting in potential data exfiltration of proprietary data available in your corporate code repositories.

Required Action:

To secure these codes we recommend one of the following:

  • Print the codes and store the document in a secure place.
  • Store the recovery codes in a password manager like 1Password
  • Store the recovery codes in an encrypted document.

To resolve this issue complete the following steps:

  1. Locate the files below
  2. Secure the codes using one of the suggested methods above
  3. After confirming you have secured the codes, delete the remaining plain-text recovery codes file.

/Users/user/Downloads/github-recovery-codes.txt

I've fixed it. Check again
Contact Admin for help
Kolide
Home
Messages
About
9:41
Quin's PC • Surface Pro 6
Failing Check: Ensure No Github 2FA Codes Stored in Plain-Text
Reason: Plain-text Github 2FA Recovery Codes Detected

Why is this a Problem?

These 2FA Backup codes could be used by an attacker to subvert 2 Factor authentication for your GitHub account resulting in potential data exfiltration of proprietary data available in your corporate code repositories.

Required Action:

To secure these codes we recommend one of the following:

  • Print the codes and store the document in a secure place.
  • Store the recovery codes in a password manager like 1Password
  • Store the recovery codes in an encrypted document.

To resolve this issue complete the following steps:

  1. Locate the files below
  2. Secure the codes using one of the suggested methods above
  3. After confirming you have secured the codes, delete the remaining plain-text recovery codes file.

C:\Users\user\Downloads\github-recovery-codes.txt

I've fixed it. Check again
Contact Admin for help
Kolide
Home
Messages
About
9:41
Quin's Ubuntu PC • ubuntu-razer
Failing Check: Ensure No Github 2FA Codes Stored in Plain-Text
Reason: Plain-text Github 2FA Recovery Codes Detected

Why is this a Problem?

These 2FA Backup codes could be used by an attacker to subvert 2 Factor authentication for your GitHub account resulting in potential data exfiltration of proprietary data available in your corporate code repositories.

Required Action:

To secure these codes we recommend one of the following:

  • Print the codes and store the document in a secure place.
  • Store the recovery codes in a password manager like 1Password
  • Store the recovery codes in an encrypted document.

To resolve this issue complete the following steps:

  1. Locate the files below
  2. Secure the codes using one of the suggested methods above
  3. After confirming you have secured the codes, delete the remaining plain-text recovery codes file.

/home/user/Downloads/github-recovery-codes.txt

I've fixed it. Check again
Contact Admin for help
Kolide can send end-users personalized Slack messages to fix this problem
Want to start delivering this notification automatically to your end-users?
Sign Up With Slack

Share this story:

Related Device Checks:

Find Unencrypted SSH Keys and Encrypt Them

ssh, developers, unencrypted-credentials, no-mdm-resolution

Block GitHub Copilot

github, shadow-it, no-mdm-resolution

Find and Securely Store 1Password Emergency Kits

1password, unencrypted-credentials, no-mdm-resolution
View More of Kolide's Checks
Try Kolide Free
Try Kolide Free