Microsoft’s owned GitHub has recently announced that it will soon require two-factor authentication (2FA) for developers who contribute code on the platform. Starting today, the company will begin rolling out the 2FA requirement to all software developers worldwide.
GitHub first unveiled its plans to enroll all contributors in 2FA by the end of 2023. The company made the 2FA requirement mandatory for maintainers of the top 100 npm packages in February 2022. Then, GitHub expanded this policy to include all maintainers of popular packages with more than 500 dependents or over one million weekly downloads.
GitHub explains that this move is part of its efforts to improve account security to secure the software development process. These compromised accounts could be used to roll out malicious changes or steal private code.
“Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain,” GitHub explained.
GitHub plans to roll out the 2FA policy in a staggered manner to minimize disruption in the workflows. Initially, the company will begin notifying smaller developer groups, and it will scale the requirements to larger groups over the course of this year. GitHub has not detailed any specific criteria for inclusion in the 2FA cadence. However, the company indicated that these groups will be selected based on their impact on the broader ecosystem.
GitHub contributors selected for enrollment will get advance email notifications to enable 2FA around 45 days before the deadline. Users who miss the cut-off date will be prompted to turn on the feature the next time they access the GitHub website. They will be able to pause the prompt for up to one week. Once the deadline passes, users will be unable to access GitHub.com without configuring 2FA.
According to Microsoft, developers can choose between various 2FA methods to protect their accounts. These include SMS (Short Message Service), TOTP (Time-based One-Time Password), security keys, and GitHub Mobile 2FA. GitHub warns that SMS-based 2FA is less secure and urges contributors to use one-time passcodes and security keys as their preferred 2FA method.
Lastly, GitHub announced that it’s testing support for passkeys internally with employees. The company highlights that this security feature should provide better protection against sophisticated phishing attacks and other exploits.