Documentation

OTP Guard is a step-up authentication system for pull requests that adds a second factor - a "step-up" - to ensure that PRs are approved only by authorized users. OTP Guard interoperates seamlessly within the Github branch protection system, ensuring that unauthorized PRs cannot be merged.

OTP Guard is step-up authentication, meaning it requires a second factor at critical points in an organization's workflow - such as before merging a PR. Possessing Github session cookies alone does not imply that an authorized user is driving the action. For example, info-stealer malware can steal cookies, which would bypass any Github authentication check beyond the initial login.

Github does have a 2FA requirement, but it does not protect pull requests. Pull requests are the gateway to your company's codebase, and effective security requires a belt-and-suspenders approach. Moreover, Github organization admins currently cannot require a physical, phishing-resistant second factor such as a Yubikey to be associated with Github team members.

Git commit signing can be an important tool but OTP Guard covers different cases. Git commit signing is not always easy to set up, whereas getting started with OTP Guard takes only a few clicks. This makes OTP Guard suitable even for non-technical users such as content editors. OTP Guard also works well to ensure an authorized person-in-the-middle for automated PRs such as Dependabot, or open source projects where commit signatures would be impractical to enforce for all contributors.

The signing keys for these web signatures are held by Github and depend only on the presence of a logged-in user. As such, they are no more secure than Github's existing log-in security mechanisms. Github log-in security is good, but it does not cover the same areas that OTP Guard does.

Not with OTP Guard. A second factor, especially a physical one such as a Yubikey, can be used to authorize PRs and stop attackers in their tracks. They would not be able to approve and merge nefarious code without also accessing an OTP Guard authenticator. Malware can't push a button.

The first authenticator is "free" but enrolling secondary authenticators requires a step-up with an existing authenticator to unlock the enrollment. If a team member loses access to their existing authenticators, then an orgnization admin will need to remove the existing authenticators from their account in order to re-enroll.

Admin-approved authenticators may also help with this. Contact us if this is a feature that you need.

Good news - you should not trust OTP Guard with your code. We don't need it, and can't see it. The Github API has a granular permissions model, and OTP Guard only requires minimal permissions.

• Read access to repository metadata. This permission is required by Github.

• Read access to pull requests. This includes the PR title, description, author, status, commit list and commit messages. However, this does not include the contents of the commits, or the contents of PR review messages. Your code stays with you.

• Read access to organization members. This is so OTP Guard can determine which users should have what permissions, since permissions are inherited from the Github organization.

• Read and write access to checks. This is how OTP Guard requires PRs to be authorized before merging.

Validating a pull request in OTP Guard only takes seconds, and can easily be done alongside the existing PR process. The payoff is peace of mind: your developers are the ones pushing those buttons, not hackers.