GitHub has announced a significant security enhancement by mandating two-factor authentication (2FA) for all users contributing code on GitHub.com by the 19th of January, 2024. This proactive measure aims to protect developer accounts from social engineering, account takeover, and potential security breaches in the software supply chain.
Security breaches often result from lower-cost attacks like social engineering and credential theft, making it crucial to move beyond basic password-based authentication. GitHub's commitment to this cause includes the deprecation of basic authentication for git operations and API and the requirement for email-based device verification. Despite these efforts, only approximately 16.5% of active GitHub users and 6.44% of npm users were utilizing 2FA in May 2023.
To further reinforce security, GitHub has initiated mandatory 2FA enrollment for npm maintainers, starting with the top 100 packages and expanding to high-impact packages later. This step aligns with GitHub's broader industry efforts to enhance the overall security of the software supply chain.
GitHub emphasizes the importance of 2FA adoption for active contributors, such as those committing code, opening or merging pull requests, using Actions, or publishing packages. The company assures users that the 2FA implementation won't compromise their experience, and GitHub remains committed to exploring new, secure authentication methods, including passwordless authentication.
For individual users, GitHub provides guidance on getting started with 2FA, including configuring 2FA for GitHub Mobile on iOS and Android. The platform encourages the use of phishing-resistant WebAuthn security keys and offers support for critical open-source project maintainers.
GitHub.com organization and enterprise owners can also enforce 2FA for members, ensuring a higher level of security across the platform. GitHub plans to share additional details and timelines for future 2FA requirements, aiming to continuously improve the software development ecosystem's security.
As the January 19th, 2024 deadline approaches, GitHub warns users that limited functionality on GitHub.com awaits those who do not enable 2FA. After this date, attempts to access GitHub.com without 2FA will automatically direct users to complete the setup. Users are advised to configure at least two 2FA methods to guarantee continuous access and manage their 2FA settings through the security settings on GitHub.
GitHub emphasizes the significance of recovery codes, as losing all 2FA options may complicate account access without them. The company's commitment to raising security standards reflects its unique position as a central hub for developers worldwide, with ongoing efforts to enhance the safety of the software development ecosystem.
In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.