GitHub to Enforce Two-Factor Authentication

A code-hosting platform used by tens of millions of software developers worldwide is implementing mandatory two-factor authentication (2FA) for all code contributors.

In an announcement shared earlier today, Github said that all users who upload code to the site will need to enable one or more forms of 2FA by the end of 2023 to continue using the platform.

The platform said the move was "part of a platform-wide effort to secure the software ecosystem through improving account security."

According to GitHub, only approximately 16.5% of its active users and 6.44% of npm (node package manager) users already use one or more forms of 2FA.

GitHub has already taken several steps beyond basic password-based authentication, including deprecating basic authentication for git operations and its API and requiring email-based device verification in addition to a username and password. 

The platform said: "2FA is a powerful next line of defense."

Andrew Hay, COO at LARES Consulting, branded GitHub's decision "a great move towards increasing the complexity of account takeovers."

However, Hay expressed concern about what could happen if some GitHub contributors do not implement 2FA. 

"One design decision, that may cause some issues, is that GitHub stated that it will remove enterprise members and owners who do not use 2FA from the organization or enterprise once these settings are enabled," said Hay. 

"We don't expect this to cause many issues, but it may lead to some calls to the support desk if a user finds that they can no longer access the code repositories they once had access to."

Casey Bisson, head of product and developer relations at BluBracket, also welcomed GitHub's decision but questioned how successful 2FA would be at protecting code. 

"This move by GitHub to enforce stronger protections on the more than 70 million users and 100 million repositories they host, is a great move," said Bisson.

He added: "Most of the companies recently attacked by Lapsus$, for example, also had strong authentication policies with 2FA, yet still saw their code – and all the keys and passwords in it – leaked publicly.

What’s Hot on Infosecurity Magazine?