GitHub to enforce 2FA for all code contributors by the end of 2023

Let the OSS Enterprise newsletter guide your open-source journey! Sign up here.

GitHub has announced that two-factor authentication (2FA) will be mandatory for all code contributors through GitHub.com by the end of 2023, building on a slew of recent security developments at the Microsoft-owned code-hosting platform.

While sophisticated zero-day attacks are a real threat for companies across the industrial spectrum, the fact of the matter is that most security breaches are down to simple human error or manipulation. This could be social engineering, credential theft, or other low-barrier entry points to employees’ work accounts. Which is why 2FA can be such a useful mechanism for securing critical business systems, as it means that if a bad actor gets a hold of private login credentials, it’s much more difficult to exploit them.

GitHub’s 2FA push

Back in November, GitHub responded to recent NPM package takeovers resulting from compromised accounts, including one with more than 7 million weekly downloads, by making 2FA mandatory. This process kicked into gear in February, when GitHub enforced 2FA for all maintainers of the top 100 most popular NPM registry packages, and the following month all NPM accounts were automatically enrolled in GitHub’s enhanced login verification program. Later this month, GitHub said that it will be enrolling all maintainers of the top 500 NPM packages for 2FA, while those with more than 500 dependencies or 1 million weekly downloads will be added to the mix in Q3 of 2022.

And the lessons that GitHub garners from this incremental rollout for NPM packages will be applied to its broader push to make 2FA mandatory across GitHub.com.

In many ways, this has been a long time coming. A compromised account can be used to pilfer private code or push malicious changes down through the software supply chain, causing all manner of untold damage. But despite first introducing an optional 2FA mechanism way back in 2013, today GitHub reports that it is used by just 16.5% of active users.

Ahead of today’s announcement, GitHub has been setting the foundation for 2FA to flourish, having added support for third-party physical security keys a while back, and then making the GitHub mobile app yet another way to authenticate logins via 2FA.

The next obvious step is to make 2FA mandatory for all GitHub.com users, something that GitHub will be pushing from now through to the deadline some time at the end of 2023. In the intervening months, GitHub plans to introduce “more options for secure authentication and account recovery,” according to GitHub’s chief security officer Mike Hanley.

“The software supply chain starts with the developer — developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain,” Hanley wrote in a blog post. “GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this.”

It’s worth noting that GitHub’s mandatory 2FA stance will apply to all contributors, both public open-source projects and private projects within organizations.