GitHub will require all developers to enroll in 2FA by the end of 2023

News
By Anthony Spadafora
published

One or more forms of two-factor authentication will be required

GitHub Webpage
(Image credit: Gil C / Shutterstock)

In an effort to further secure the developer accounts and code hosted on its platform, GitHub has announced that its users will need to enroll in two factor authentication (2FA) by the end of next year.

More specifically, anyone that contributes code on the Microsoft-owned platform will need to enable one or more forms of 2FA.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

According to a new blog post from GitHub’s chief security officer Mike Hanley, the software supply chain starts with developers and developer accounts are frequently targeted by social engineering and account takeover. By protecting developers from these types of attacks, the company is taking the first and most critical step toward securing the software supply chain.

Going forward, GitHub plans to explore new ways of securely authenticating its users including passwordless authentication. In fact, just last year, the company added the ability to use security keys for authentication as part of its efforts to move towards a passwordless future.

Securing the software supply chain

Back in November of last year, GitHub committed to new investments in npm account security following npm package takeovers that were the result of developer accounts without 2FA enabled that had been compromised.

Although zero-day vulnerabilities get a lot of attention online, lower-cost attacks such as social engineering, credential theft or data leaks are actually responsible for most security breaches.

Read More

> GitHub is getting better at hunting down your dangerous code

> The latest GitHub update solves major headaches for developers

> GitHub wants to help developers spot security issues before they get too serious

Compromised accounts on GitHub can be used to steal private code or even to push malicious changes to that code. Unfortunately, not only individuals and their organizations associated with these compromised accounts are at risk but also any users of the affected code.

The best defense against compromised user accounts is moving beyond basic password-based authentication. However, only 16.5 percent of all active GitHub users today and 6.44 percent of npm users use one or more forms of 2FA.

GitHub users have plenty of time to prepare for this change and the company recently launched 2FA for GitHub mobile on iOS and Android. Those interested in learning how to configure GitHub Mobile 2FA can check out this support document to get started.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.