Today, we are announcing that you can use GitHub Mobile on iOS and Android as an easy-to-use two factor authentication mechanism. This option sits alongside our existing channels: security keys and WebAuthn, one-time passcodes, and SMS. GitHub Mobile provides a strong alternative to existing one-time passcode options offered by third-party applications and via SMS, with an experience that is fully baked into the GitHub services you already use.
GitHub Mobile 2FA will be available to all GitHub users in the App Store and Play Store this week.
Get Started
If you have 2FA configured on your GitHub account and the mobile app installed, update to the latest version of GitHub Mobile in the App Store or Play Store to start using Mobile 2FA immediately.
If you’re not already using the mobile app, you can install it now and sign in to your account. And if you haven’t set up 2FA, set it up via your account security settings. You’ll need to set up 2FA with SMS or another time-based one-time password (TOTP) app first to start using Mobile 2FA.
Once set up, you’ll receive a push notification to your mobile device when you sign in to your GitHub.com account on any browser. You can approve or reject the sign in- attempt. If you approve it, you’ll be logged into GitHub.com immediately.
GitHub continues to invest in account security to help secure the broader supply chain. We are hard at work on making additional investments in this space for both npm and GitHub, including additional capabilities for GitHub Mobile as an authentication mechanism and increasing adoption for 2FA, so stay tuned!
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.