GitHub is making a major push toward two-factor authentication (2FA), requiring all users who contribute code to GitHub-hosted repositories to enable one or more forms of 2FA by the end of 2023. The move will impact 83 million developers, at last count.
In explaining its reasoning, GitHub said most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with access to victims’ accounts. Compromised accounts can be used to steal private code or push out malicious changes to code, thus affecting application users, too. The potential for downstream impact to the broader software ecosystem and supply chain is substantial. The best defense is moving beyond password-based authentication, the company said.
GitHub already has taken steps in this direction by deprecating basic authentication for Git operations and GitHub’s REST API and requiring email-based device verification. In addition to a username and password, 2FA is a powerful next line of defense. Currently, only 16.5% of active GitHub users and 6.44% of NPM users use one or more forms of 2FA, GitHub said.
GitHub recently launched 2FA for GitHub Mobile on iOS and Android. Those who want to configure GitHub Mobile 2FA can learn how to do so from a GitHub blog post from January 2022. The company expects to provide more options for secure authentication and account recovery, along with improvements to recover from account compromise.
GitHub enrolled all maintainers of the top 100 packages in the NPM registry in mandatory 2FA in February, and enrolled all NPM accounts in enhanced log-in verification in March.
The company said all maintainers of the top 500 packages will be enrolled in mandatory 2FA on May 31. Maintainers of high-impact NPM packages, those with more than 500 dependents or one million weekly downloads, will be enrolled in 2FA in the third quarter of this year.