GitHub launches new 2FA mandates for code developers, contributors

New rules surrounding authentication will come in by the end of 2023.
Written by Charlie Osborne, Contributing Writer

GitHub is introducing new rules surrounding developers and two-factor authentication (2FA) security.

On Wednesday, the Microsoft-owned code repository said that changes will be made to existing authentication rules as "part of a platform-wide effort to secure the software ecosystem through improving account security."

According to Mike Hanley, GitHub's Chief Security Officer (CSO), GitHub will require any developer contributing code to the platform to enable at least one form of 2FA by the end of 2023.

Open source projects are popular and widely used, valuable resources for individuals and the enterprise alike. However, if a threat actor compromises a developer's account, this could lead to hijacked repos, data theft, and project disruption.

Cloud platform provider Heroku, owned by Salesforce, disclosed a security incident in April. A subset of its private git repositories was compromised following the theft of OAuth tokens, potentially leading to unauthorized access to customer repos.

GitHub says the software supply chain "starts with the developer," and has been tightening up its controls with this in mind -- noting that developer accounts are "frequent targets for social engineering and account takeover."

Recently, the issue of malicious packages being uploaded to GitHub's npm registry has also brought software supply chain security to the forefront.

In many cases, it isn't a zero-day vulnerability that causes the collapse of open source projects or gives developers sleepless nights. Instead, it's the fundamental weaknesses -- such as weak password credentials or stolen information -- that cyberattackers exploit.

However, the code repository has also acknowledged that there can be a trade-off between security and user experience. So, the 2023 deadline will also give the organization the time to "optimize" the GitHub domain before the rules are set in stone.

"Developers everywhere can expect more options for secure authentication and account recovery, along with improvements that help prevent and recover from account compromise," Hanley commented.

For GitHub, 2FA implementation may be becoming a pressing issue, with only 16.5% of active GitHub users and 6.44% of npm users adopting at least one form of 2FA.

GitHub has already depreciated basic authentication, using usernames and passwords only, in favor of integrating OAuth or Access tokens. The organization has also introduced email-based device verification when 2FA has not been enabled.

The current plan is to continue a mandatory 2FA rollout on npm, moving from the top 100 packages to the 500, and then those with over 500 dependants or one million weekly downloads. The lessons learned from this testbed will then be applied to GitHub.

"While we are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of account compromise," Hanley said. "Our response to this challenge continues today with our commitment to drive improved supply chain security through safe practices for individual developers."

In April, GitHub introduced a new scanning feature to protect developers and stop them from accidentally leaking secrets. The enterprise user feature is an optional check for developers to enable for use during workflows and before a git push is launched.  

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards