Submit Content Become a member

GitHub announced it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

GitHub’s Chief Security Officer, Mike Hanley, noted developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain. 

2FA adoption across the software ecosystem remains low overall. Today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA. 

GitHub says the 2023 date provides time to ensure that strong account security doesn’t come at the expense of a great experience. The company is also committed to implementing new ways of securely authenticating users, including passwordless authentication.

The news comes in the wake of past npm package takeovers resulting from the compromise of developer accounts without 2FA enabled. GitHub says that most security breaches are not the product of zero-day attacks, but involve lower-cost attacks like social engineering, credential theft or leakage. Compromised accounts can then be used to steal private code or push malicious changes to that code.

Mr Hanley said that GitHub’s unique position as the home for all developers means that the company has both an opportunity and a responsibility to raise the bar for security across the software development ecosystem to improve the overall security of the software supply chain.

GitHub.com organisation and enterprise owners can also require 2FA for members of their organisations and enterprises. Note that organization and enterprise members and owners who do not use 2FA will be removed from the organization or enterprise when these settings are enabled.

GitHub will share more details and timelines for future 2FA requirements for GitHub.com users and recently launched 2FA for GitHub Mobile on iOS and Android.

Rate article from Staff Writers: