The GitHub Software Development Tool will require more accounts to enable two-factor authentication (2FA) starting March 13. That mandate will be extended to all developers contributing code on GitHub.com by the end of 2023.
GitHub announced its plan to implement a 2FA requirement in a blog post last May. At the time, the company’s chief security officer said that GitHub was making the move because GitHub (which is used by millions of software developers worldwide in countless industries) is a vital part of the software supply chain. Such a supply chain has been the target of several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common attack methods.
At the time that blog post was written, GitHub revealed that only about 16.5 percent of active GitHub users were using 2FA, far less than you might expect from technologists who should know its value.
In December, GitHub unveiled the details of the plan that will go into effect for more people in a few days. The company will identify specific subsets of users needed to jump on the bandwagon first, such as company and organization members, users who have contributed code to critical repositories, etc.
Those users receive regular in-product and email reminders 45 days before the requirement goes into effect. Starting with their first login after the 2FA deadline, they receive daily reminders to enable 2FA. If they haven’t already done so seven days after that, they won’t be able to access most GitHub features until they do. Twenty-eight days after that, GitHub will initiate a “2FA check” to ensure that it’s working properly and that the user can still access their account.
Over the course of 2023, more and more accounts will be included in this process, with all contributing developer accounts being included by the end of the year, says GitHub.
This is not the introduction to 2FA for GitHub accounts. Users have long been able to opt-in to 2FA for their individual accounts, and enterprise organizations have been able to require 2FA for all members for a while.
If you’re a GitHub user, you’ll need to look out for an email or in-app notification letting you know when your ticket is sold out.
Tech – Ars Technica