Back to Playbook
tech

GitHub Recovery Guide

Hardening your developer identity, securing your source code, and managing the risks of SSH keys and automated PATs.

GitHub: The Source of Your Digital Credibility

GitHub is more than a code repository; it is a developer's professional portfolio and the "Source of Truth" for many software projects. A compromise of a GitHub account can lead to the insertion of malicious code (backdoors) into production environments, the theft of proprietary algorithms, and the total destruction of a developer's reputation. GitHub's recent mandate for 2FA for all contributors reflects the high stakes of "Supply Chain" security.

1. Hardening Your Account

Mandatory Hardware MFA

GitHub supports SMS and TOTP, but for developers, Security Keys (FIDO2) are the only logical choice. Action: Go to Settings > Password and authentication. Add your YubiKeys. GitHub allows you to register multiple keys; ensure you have a backup key in a safe.

Securing the "Command Line" (SSH vs. HTTPS)

Most developers interact with GitHub via the command line. Your local SSH keys or Personal Access Tokens (PATs) are just as valuable as your password. The Policy:

  • SSH Keys: Always protect your local SSH keys with a strong passphrase. Use an SSH agent so you don't have to type it every time, but never leave the key "unlocked" on disk.
  • PATs: Never use "Classic" PATs with broad scopes. Use Fine-Grained Personal Access Tokens that are limited to specific repositories and specific actions (e.g., read-only access to one repo).

Branch Protection Rules

If you manage a repository, use Branch Protection Rules. Require "Pull Request reviews" before code can be merged into the main branch. This ensures that even if one developer's account is compromised, the attacker cannot push malicious code directly into production without being noticed by another reviewer.

2. Failsafe Recovery Preparation

The Recovery Codes (The Developer's Lifeline)

When you enable 2FA on GitHub, you are given a set of recovery codes. The Strategy: These codes are the ONLY way to regain access if you lose your phone and your security key. GitHub's support team is extremely strict about 2FA recovery to prevent social engineering. Print these codes and store them in a physical safe.

Verified Emails

Ensure you have multiple verified email addresses on your account. This provides alternative channels for GitHub to reach you during a recovery process.

3. Supply Chain Security: Vigilance

  • Commit Signing: Use GPG or SSH keys to sign your commits. This provides a cryptographic guarantee that the code actually came from you and hasn't been altered.
  • Audit Logs: Periodically review your Security Log. Look for unrecognized IP addresses, new SSH keys, or new PATs that you didn't create.
  • Secret Scanning: GitHub's built-in secret scanning will alert you if you accidentally commit an AWS key or a Stripe token. Treat these alerts as "Critical" and rotate the leaked secrets immediately.

For more information on the underlying principles, see our articles on MFA Fundamentals and Password Security.

Why This Matters

The Importance of MFA

Multi-Factor Authentication (MFA) is your strongest defense against account takeover. Even if a physical or digital attacker obtains your password, MFA provides a critical second layer of defense that is much harder to bypass. Learn more about MFA best practices.

Unique, Strong Passwords

Never reuse passwords across different services. If one service is breached, every other account using that same password becomes vulnerable to "credential stuffing" attacks. Every online service should have its own unique, long, and complex password managed by a reputable password manager. Learn why unique passwords are critical.

Need Help?

These guides are community-sourced. If you find an error or a platform has updated its interface, please let us know.