GitHub is bringing in mandatory 2FA

holding an iphone
(Image credit: Shutterstock)

GitHub has announced it will soon be rolling out the mandatory use of two-factor authentication (2FA) on developer's accounts.

The software development platform will initially be emailing small groups of administrators and developers, notifying them of the change to their accounts, before all of them are eventually enrolled on 2FA by the end of the year.

"GitHub has designed a rollout process intended to both minimize unexpected interruptions and productivity loss for users and prevent account lockouts," said Staff Product Manager Hirsch Singhal and Product Marketing Director Laura Paine in a joint blog post on the company's site.

Boosting security

"Groups of users will be asked to enable 2FA over time, each group selected based on the actions they've taken or the code they've contributed to." 

Once a user receives the 2FA email, they will have 45 days to set it up on their account. 

If users still haven't activated it after this point, they will be blocked from the full functionality of their account until 2FA has been configured by them. To prevent any surprises, though, GitHub will keep users updated on how long they have left. 

GitHub previously announced in May and December 2022 that 2FA would be coming soon, and to further prepare its users, it has also published a guide on configuring 2FA and how to recover your account should you lose your 2FA device.

2FA is a type of multi-factor authentication, an extra layer of security to make sure it is actually you who is accessing your account with your username and password. A code is sent to another one of your devices, typically your smartphone, which you input after entering your login details to authenticate your identity. 

For most services that use 2FA, the code can be delivered via SMS or an authenticator app. In addition to these, GitHub will also support 2FA via physical security keys and its own GitHub iOS and Android mobile apps.

GitHub however isn't recommending that users opt for SMS 2FA, as this is less secure than other forms, as messages can be intercepted and the authentication tokens generated can be stolen. 

The move to enforce 2FA follows GitHub's recent efforts to make its service more secure. Authenticating Git operations via a user's account password was revoked in 2019, instead requiring the use of authentication tokens such as SSH keys, which could then be further secured by security keys from 2021.

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.