🔐Github Security Best Practices

OTP Guard is defense in depth - it works best as part of a multi-layered security strategy that begins with securing Github.

Github has excellent documentation for its own best practices around accounts, organization and repositories. Here are a few areas that are especially relevant to OTP Guard.

1. Enable branch protection rules OTP Guard works best if MFA authorization is a mandatory part of the pull request review process. Enable branch protection rules in Github so that code cannot be merged without a PR review and passing status checks - OTP Guard takes effect as a status check.

   
2. Enforce 2FA for all members of the organization While OTP Guard is designed to guard against Github account compromise, you still want to make it as hard as possible to compromise Github. See the Github page on enabling organization 2FA.

3. Have more than one org admin OTP Guard makes heavy use of step-up authentication which is available to organization administrators to manage user authenticators and audit activity. If an org admin loses access to their own OTP Guard authenticators, another admin can reset those. See Github's own page for ownership continuity in organizations.

4. Keep user access up-to-date OTP Guard user permissions follow the access control mechanisms set in Github. As users leave your organization, ensure they are off-boarded in Github promptly. Other users may change roles to require a lesser level of access; ensure that is also updated in Github as a matter of least privilege. OTP Guard will pick up on those Github access-control changes immediately without further work on the administrator's part.

OTP Guard is only as secure as your Github organization. Don't let us be the only thing standing between you and hackers.