|GitHub To Require Two-Factor Authentication|
|Tuesday, 10 May 2022|
GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
The announcement was made by Mike Hanley, Chief Security Officer at GitHub.
"GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this."
He said that GitHub will continue to actively explore new ways of securely authenticating users, including passwordless authentication, and that developers can expect more options for authentication and account recovery.
Back in January, GitHub announced that developers can use GitHub Mobile on iOS and Android as an easy-to-use two factor authentication mechanism. This option was added to existing authentication options including security keys and WebAuthn, one-time passcodes, and SMS.
The addition of mobile authentication followed a commitment last year by GitHub to new investments in npm account security following npm package takeovers that compromised developer accounts without 2FA enabled.
All the maintainers of the top 100 GitHub packages on the npm registry have now been enrolled in mandatory 2FA, and all npm accounts now use enhanced login verification. On May 31, 2022 this will be extended to all maintainers of the top 500 packages, then maintainers of all high-impact packages, those with more than 500 dependents or 1 million weekly downloads will follow in the third quarter of the year.
GitHub has also deprecated basic authentication for git operations and requires email-based device verification, in addition to a username and password.
GitHub’s own research has found that only around one in six active GitHub users currently have two-factor authentication enabled on their accounts:
"Today, only approximately 16.5% of active GitHub users and 6.44% of npm users use one or more forms of 2FA."
Hanley said that moving beyond basic password-based authentication is vital to prevent compromised accounts being used to steal private code or push malicious changes to that code.
or email your comment to: firstname.lastname@example.org