GitHub to Require All Code Contributors to Enable 2FA by Late 2023

Microsoft is planning to make some changes to the existing authentication policies on its GitHub platform. The company has announced that it will require all developers contributing code to the service to enroll in at least one form of two-factor authentication (2FA) by the end of 2023.

GitHub is a popular cloud-based service that allows developers to store, track and collaborate on open-source software projects. The Microsoft-owned code platform has more than 83 million users worldwide. However, we have previously witnessed security incidents where the attackers managed to compromise open-source repositories. Microsoft hopes that its new 2FA mandates should help to improve the overall security of the software development process.

“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial,” explained Mike Hanley, Chief Security Officer at GitHub.

GitHub says only 16.5 percent of active users enable 2FA

According to Microsoft, 2FA can provide developers with an additional layer of protection against increasing security threats. However, Microsoft’s researchers have found that 16.5 percent of active GitHub users and 6.44 percent of NPM users currently enable one or more types of the 2FA technique on their accounts.

It is important to note that the code repository had previously dropped support for basic authentication. Instead, GitHub has already moved to modern authentication mechanisms (such as OAuth or Access tokens). Additionally, contributors who have not enabled 2FA are required to use email-based device verification methods.

Microsoft notes that it will ensure that the new security measures don’t impact the user experience on GitHub. The company expects its developers to have enough time to optimize the platform before the new policy goes into effect in late 2023. Meanwhile, GitHub also plans to give users more account recovery and secure authentication options.

Do you think these extra security measures will help developers block social engineering and software supply chain attacks? Sound off in the comments section below.