In an effort to further secure the developer accounts and code hosted on its platform, GitHub (opens in new tab) has announced that its users will need to enroll in two factor authentication (2FA (opens in new tab)) by the end of next year.
More specifically, anyone that contributes code on the Microsoft-owned platform will need to enable one or more forms of 2FA.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
According to a new blog post (opens in new tab) from GitHub’s chief security officer Mike Hanley, the software supply chain starts with developers and developer accounts are frequently targeted by social engineering and account takeover. By protecting developers from these types of attacks, the company is taking the first and most critical step toward securing the software supply chain (opens in new tab).
Going forward, GitHub plans to explore new ways of securely authenticating its users including passwordless authentication (opens in new tab). In fact, just last year, the company added the ability to use security keys (opens in new tab) for authentication as part of its efforts to move towards a passwordless future.
Securing the software supply chain
Back in November of last year, GitHub committed to new investments in npm account security following npm package takeovers (opens in new tab) that were the result of developer accounts without 2FA enabled that had been compromised.
Although zero-day vulnerabilities get a lot of attention online, lower-cost attacks such as social engineering (opens in new tab), credential theft or data leaks are actually responsible for most security breaches.
> GitHub is getting better at hunting down your dangerous code (opens in new tab)
> The latest GitHub update solves major headaches for developers (opens in new tab)
> GitHub wants to help developers spot security issues before they get too serious (opens in new tab)
Compromised accounts on GitHub can be used to steal private code or even to push malicious changes to that code. Unfortunately, not only individuals and their organizations associated with these compromised accounts are at risk but also any users of the affected code.
The best defense against compromised user accounts is moving beyond basic password-based authentication. However, only 16.5 percent of all active GitHub users today and 6.44 percent of npm users use one or more forms of 2FA.
GitHub users have plenty of time to prepare for this change and the company recently launched 2FA for GitHub mobile on iOS and Android. Those interested in learning how to configure GitHub Mobile 2FA can check out this support document (opens in new tab) to get started.