OTP Guard

Lock Down Your Github PRs

Add multi-factor authentication to Github pull requests with one click. Secure your code.

How OTP Guard Works

  • Connect OTP Guard to protect your Github repositories with a few clicks.
  • After submitting or updating a pull request, use your authenticator to validate the PR.

That's all! See the quickstart for more details.

Why OTP Guard?

  • The Problem. Having access to a Github account is not a surefire indicator of authenticity. Sophisticated info-stealer malware can hijack logged-in accounts - bypassing any two-factor check. Users may also be vulnerable to phishing with weaker authenticators such as TOTP or SMS.

    OTP Guard is an additional security layer for Github to protect your applications and ensure it is really your team that is authenticating every change into your codebase.
  • Step-Up Multi-Factor Authentication. Your code base is the gateway to your applications and infrastructure. OTP Guard implements step-up authentication to ensure the presence of authorized team members at critical points in an application's life cycle - such as when making changes to the code.
  • An Independent Security Layer. Unlike standard MFA tied to Github or an identity provider, OTP Guard is an independent authentication source. This extra layer of security ensures that you are protected even if a Github or identity provider account is compromised. Attackers would have to get through those and OTP Guard to make a dent in your organization's applications and infrastructure.
  • Defense In Depth. OTP Guard works in conjunction with existing security mechanisms, such as Git commit signing and Github access control. With OTP Guard, organization administrators have more control of authenticator requirements while offering users a low-friction MFA enrollment pathway. This offers more visibility, control and better ease-of-use for non-technical or external users compared to setting up Git commit signatures for each contributor, and scales for merges. OTP Guard is also ideal for open-source repositories where external contributors may not have Git signing keys set up - have a team member step-up to authenticate the pull request during the review process.


  • Easy setup via GitHub OAuth2. Just a few clicks is all it takes to protect your organization.
  • Permissions seamlessly follow GitHub. Add or remove a team member, or change someone's permissions on GitHub? No problem - OTP Guard will seamlessly pick up on these changes. No need for a separate checklist step to update provisioning or access control in OTP Guard after org changes, because OTP Guard keeps itself updated as your team changes.
  • Tightly scoped OAuth2 permissions. OTP Guard only requires minimal privileges to work. The contents of your repositories or code in pull requests is not visible to OTP Guard. The only permissions OTP Guard needs are for GitHub checks and read-only permissions for pulls - pull request metadata, not code.
  • Granular repository access Easily apply OTP Guard's protection to all GitHub repositories in your organization, or just a few selected ones.
  • Organization-scoped authenticators. For users that belong to separate GitHub organizations, OTP Guard maintains separate user authenticator registrations for each organization. Organization admins have visibility into the types of authenticators registered with their own organization - have a Yubikey-only requirement? Enforce that with OTP Guard.
  • Passkeys via WebAuthn. Built into modern browsers - Chrome, Edge, Safari and Firefox.
  • Hardware Security Keys. Bring your own Yubikey or any WebAuthn-compatible device
  • Authenticator app support. OTP Guard supports common TOTP authenticator apps, such as Google Authenticator, Microsoft Authenticator, iCloud Keychain and more.
  • OTP Review. See who authenticated which PRs, and when.
  • Audit Log. Review OTP Guard authenticator activity across the organization - enrollments, removals, and PR authorizations.
  • Secure and easy authenticator managementEnrolling authenticators beyond the first - or deleting an authenticator - requires a step-up with an existing authenticator. Organization admins can remove team member' authenticator types as a break-glass action.
  • Phishing Protection. OTP Guard offers best-in-class phishing protection with security images and authentication based on the WebAuthn standard.
Have any ideas or specific requirements? Talk to us and help inform the development of OTP Guard.


"Incredibly positive quote about OTP Guard here" - Dan, Redact


Free for now. In the future, pricing will resemble the following:

Have questions or need a custom plan? Talk to us