GitHub announced that it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentications (2FA) by the end of 2023. This is part of GitHub’s platform-wide effort to secure the software ecosystem through improving account security.
GitHub described their reasoning for requiring 2FA this way:
The software supply chain starts with the developer. Developer account are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step towards securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.
According to GitHub, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.
GitHub continues by pointing out that compromised accounts can be used to steal private code or push malicious changes to the code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.
Protocol reports that just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com’s 83 million users, and is being announced well in advance to “make sure we get this right” in terms of user experience for developers, said Mike Hanley, chief security officer at GitHub.
According to Protocol, the announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential for security risks of open source software components. This is due in part to rising attacks against software supply chains – which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.
In my opinion, it is a very good idea to put 2FA on everything – even if you don’t happen to post code on GitHub. Two-factor identification is a great way to prevent someone from stealing your social media accounts, breaking into your personal website, or preventing you from accessing your most frequently used email accounts. It makes sense for GitHub to be requiring 2FA.