GitHub to Require All Code Contributors to Enable 2FA by Late 2023
Microsoft is planning to make some changes to the existing authentication policies on its GitHub platform. The company has announced that it will require all developers contributing code to the service to enroll in at least one form of two-factor authentication (2FA) by the end of 2023.
GitHub is a popular cloud-based service that allows developers to store, track and collaborate on open-source software projects. The Microsoft-owned code platform has more than 83 million users worldwide. However, we have previously witnessed security incidents where the attackers managed to compromise open-source repositories. Microsoft hopes that its new 2FA mandates should help to improve the overall security of the software development process.
“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial,” explained Mike Hanley, Chief Security Officer at GitHub.
GitHub says only 16.5 percent of active users enable 2FA
According to Microsoft, 2FA can provide developers with an additional layer of protection against increasing security threats. However, Microsoft’s researchers have found that 16.5 percent of active GitHub users and 6.44 percent of NPM users currently enable one or more types of the 2FA technique on their accounts.
It is important to note that the code repository had previously dropped support for basic authentication. Instead, GitHub has already moved to modern authentication mechanisms (such as OAuth or Access tokens). Additionally, contributors who have not enabled 2FA are required to use email-based device verification methods.
Microsoft notes that it will ensure that the new security measures don’t impact the user experience on GitHub. The company expects its developers to have enough time to optimize the platform before the new policy goes into effect in late 2023. Meanwhile, GitHub also plans to give users more account recovery and secure authentication options.
Do you think these extra security measures will help developers block social engineering and software supply chain attacks? Sound off in the comments section below.
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
Microsoft Detects 254% Spike in XorDDoS Attacks on Linux Servers
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
F5 Confirms New Remote Code Execution Flaw in BIG-IP Systems
May 9, 2022 | Rabia Noureen
Most popular on petri