# Github Security Best Practices
OTP Guard is defense in depth - it works best as part of a multi-layered security strategy that begins with securing Github.
Github has excellent documentation for its own best practices around [accounts](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts), [organization](https://docs.github.com/en/code-security/getting-started/quickstart-for-securing-your-organization) and [repositories](https://docs.github.com/en/code-security/getting-started/quickstart-for-securing-your-repository). Here are a few areas that are especially relevant to OTP Guard.
1. **Enable branch protection rules**\
OTP Guard works best if MFA authorization is a mandatory part of the pull request review process. Enable [branch protection rules](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule) in Github so that code cannot be merged without a PR review and passing [status checks](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) - OTP Guard takes effect as a status check.
OTP Guard status check on Github
2. **Enforce 2FA for all members of the organization**\
While OTP Guard is designed to guard against Github account compromise, you still want to make it as hard as possible to compromise Github. See the Github page on enabling [organization 2FA](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization).
3. **Have more than one org admin**\
OTP Guard makes heavy use of [step-up authentication](/step-up-authentication.md) which is available to organization administrators to manage user authenticators and audit activity. If an org admin loses access to their own OTP Guard authenticators, another admin can reset those. See Github's own page for [ownership continuity](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/maintaining-ownership-continuity-for-your-organization) in organizations.
4. **Keep user access up-to-date**\
OTP Guard user permissions follow the access control mechanisms set in Github. As users leave your organization, ensure they are off-boarded in Github promptly. Other users may change roles to require a lesser level of access; ensure that is also updated in Github as a matter of least privilege. OTP Guard will pick up on those Github access-control changes immediately without further work on the administrator's part.
OTP Guard is only as secure as your Github organization. Don't let us be the only thing standing between you and hackers.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.otpguard.com/github-security-best-practices.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.