GitHub’s newest partnership could do wonders for web security

October 1, 2015, 8:24 PM UTC
Courtesy of Yubico

Security works best in layers: Something you know (a password), something you have (a token), something you are (a fingerprint). Yet too many web services rely solely upon that first, often impossible-to-remember layer alone. The upshot? Compromised accounts—day in, day out.

That could soon change. Chris Wansrath, CEO and co-founder of the coding community startup GitHub (as well as No. 31 on Fortune’s latest class of “40 Under 40” superstars), announced a new partnership that could encourage the broader adoption of multi-factor authentication (that is, multiple security layers) across the web at his company’s Universe conference on Thursday. The $2 billion code hosting site—No. 50 on Fortune’s “unicorn,” or billion dollar startup, list—is teaming up with Yubico, a company founded in 2007 that makes secure identity tokens (pictured above).

“We’re making the feature available to all users,” Shawn Davenport, GitHub’s vice president of security, told Fortune in a phone interview prior to the announcement. “We want to be a catalyst to drive the widespread adoption of the standard across the development community.”

The deal: GitHub has enabled support for Yubico’s “universal two-factor authentication” protocol, developed jointly by Yubico and Google (GOOG), which allows people to sign into their online accounts using a second form of verification. The standard is open source and is known as U2F. When logging in, users can now choose to add a physical “YubiKey” token as another measure of security to unlock one’s account, just as a key unlocks a door.

The electronic key works with a tap of the finger; upon a press, the device generates a login code unique to the user and the application being accessed.

The open source code, which Yubico’s USB stick-like security tokens are based on, allows companies to implement the tokens on their own sites, too. In that way, the development community on GitHub could act as early adopters, seeding and spreading it throughout other applications on the Internet. GitHub has been using the devices internally for a couple of years, as has Facebook (FB).

“Once we saw the adoption of U2F within Google and now Dropbox,” Davenport continued, “we realized the standard was definitely gaining momentum.”

“I think the key challenge there is getting compatible devices in the hands of developers so they have something to work with,” Davenport added, mentioning the company’s hope that more web browsers and applications will, once familiar the standard, begin to take it up. (As the Yubico website explains, at the moment only Google Chrome version 38 and above supports the U2F protocol.)

Toward that end, Stina Ehrensvard, Yubico’s CEO and founder, took the stage at the GitHub event to announce a give-away. “Here today we have a present for you,” she said. Anyone who attended the event, she continued, has the option to receive a free YubiKey (about 1,000 people). Further, the first 5,000 GitHub users to request one will receive a YubiKey for $5, according to the company’s blog. And other users can expect a 20% discount on the product, which can cost anywhere from $18 to $60.

On a call with Fortune, Ehrensvard made her ambitions known. She hopes to spread the YubiKey not just to all web services but to all governments across the world. She said the tech could help prevent such disastrous data pillaging like what has taken place at the federal Office of Personnel Management and Internal Revenue Service, among others.

After Ehrensvard left the stage, Wansrath urged others to adopt the standard. “I implore all of you to support it too,” he said.

GitHub already supported two-factor authentication through text messages and apps such as Google Authenticator, which constantly generates a random numbers for verification. Nevertheless, Davenport said he believes that U2F is the way to go to enhance web security. According to Ehrensvard, it’s four times faster and reduces fraud significantly compared to Google Authenticator.

GitHub has picked its partner. It probably helps that Yubico is a member of the company’s open source community, which means the deal works in both ways. As people adopt Yubico, they’ll import, add to, and refine the collaborative code on GitHub.

For more on security, watch this video below.

Subscribe to Data Sheet, Fortune’s daily business-tech newsletter.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward