By end of 2023, GitHub to force code contributors to use two-factor authentication
Jonathan Greig May 4, 2022

By end of 2023, GitHub to force code contributors to use two-factor authentication

By end of 2023, GitHub to force code contributors to use two-factor authentication

GitHub said Wednesday that it plans to require any user who contributes code on the platform to enroll in two-factor authentication by the end of 2023.

The Microsoft-owned company has about 83 million developers on its platform, and GitHub Chief Security Officer Mike Hanley said they can be “frequent targets for social engineering and account takeover.”

Those types of incidents can have widespread effects on the supply chain for software. In October, for example, a massively popular JavaScript library was hacked and modified with malicious code that caused affected computers to download and install a password stealer and cryptocurrency miner.

GitHub’s goal is to use the next 20 months to optimize new security features without affecting the platform’s user experience, Hanley said.

“As standards evolve, we’ll continue to actively explore new ways of securely authenticating users, including passwordless authentication,” Hanley said. “Developers everywhere can expect more options for authentication and account recovery, along with improvements that help prevent and recover from account compromise.”

Compromised GitHub accounts can be used to steal private code or push malicious changes to code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial, Hanley added. 

Hanley just hit his one-year mark with GitHub and has instituted several security changes to the platform since arriving. 

In February, the administrators of the Node Package Manager (npm) — which is owned by GitHub — said they enrolled the maintainers of the Top 100 most popular libraries (based on the number of dependencies) into their mandatory two-factor authentication procedure.

Npm is the the largest package repository for the JavaScript ecosystem. Hanley said npm made the change “in the wake of npm package takeovers resulting from the compromise of developer accounts without 2FA enabled.” 

In March, tall npm accounts were enrolled in enhanced login verification and on May 31, Hanley said all maintainers of the top 500 packages will be enrolled in mandatory two-factor authentication. 

“Our final cohort will be maintainers of all high-impact packages, those with more than 500 dependents or 1 million weekly downloads, whom we plan to enroll in the third-quarter of this year,” he said. “We will leverage what we learn from requiring 2FA on npm and apply those lessons to our efforts on GitHub.com.”

Data shared by Hanley shows that mandatory enrollment may be the best way to move forward. Only 16.5% of active GitHub users and 6.44% of npm users use one or more forms of two factor authentication, according to Hanley.

In January, GitHub announced that two-factor authentication will be available to all users through GitHub Mobile. It is now available to all users in the App Store and Play Store. 

The feature is another way GitHub users can enable two-factor authentication alongside security keys as well as WebAuthn, one-time passcodes and SMS.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.