GitHub moves to protect users with 2FA

Source: GitHub. If user accounts on GitHub are compromised, the potential for compromises along the rest of the software supply chain is very high.

GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

GitHub CSO Mike Hanley shared in a blog post that "GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimise for this."

"As standards evolve, we’ll continue to actively explore new ways of securely authenticating users, including passwordless authentication. Developers everywhere can expect more options for authentication and account recovery, along with improvements that help prevent and recover from account compromise," he said in the post, describing the potential downstream impact to the broader software ecosystem and supply chain of a compromise as "substantial".

According to Hanley, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, and credential theft or leakage.

More details and timelines for future 2FA requirements for GitHub.com users will be shared in the coming months. To ensure a smooth and accessible experience, GitHub will also be introducing improvements and new features designed to help users secure and recover accounts.

Details:

Individual users can download 2FA for GitHub Mobile on iOS and Android. To configure mobile 2FA, there must be at least one other form of 2FA enabled.

GitHub.com organisation and enterprise owners can require 2FA for their members. However, organisation and enterprise members and owners who do not use 2FA will be removed from the organisation or enterprise when these settings are enabled.