GitHub announced that it would require all contributing developers to enable Two Factor Authentication (2FA) as of March 13. According to the company, it is an initiative to ensure software development and the supply chain.
“GitHub is critical to the software supply chain, and securing the software supply chain starts with the developer,” says GitHub in its latest Blog. “Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developer accounts are frequent targets of social engineering and account takeover (ATO). Protecting developers and consumers in the open source ecosystem from these types of attacks is the first and most critical step in securing the supply chain.”
The rollout of the 2FA requirement will be gradual, and the company said it would reach out to smaller groups of developers and administrators first. In addition, the selection of developer groups will be based “on the actions they have taken or the code they have contributed to,” according to GitHub. This will continue over the course of the next year.
Those who will be selected will be notified by email and will also see a registration banner on GitHub.com. Once the notification begins, developers will have 45 days to set up their 2FA. There will be another one-week extension after this period, but account access will be limited at that time, according to GitHub. With this, those who will be notified in advance about the new security requirement are advised to fix their 2FA as soon as possible.
On the other hand, the company encourages taxpayers who will have the new requirement to opt for more secure 2FA methods instead of SMS.
“We strongly recommend the use of security keys and TOTP whenever possible,” the blog reads. “SMS-based 2FA does not provide the same level of protection and is no longer recommended per NIST 800-63B. The strongest widely available methods are those that support the WebAuthn secure authentication standard. These methods include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.”
