GitHub announced that it would require all contributing developers to enable two-factor authentication (2FA) starting March 13. According to the company, it is an initiative to secure software development and supply chain.
“GitHub is central to the software supply chain, and securing the software supply chain starts with the developer,” GitHub says on its latest blog. “Our 2FA initiative is part of a platform-wide effort to secure software development by improving account security. Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain.”
The implementation of the 2FA requirement will be gradual, and the company said it would first reach out to smaller groups of developers and administrators. Further, the selection of groups of developers will be “based on the actions they’ve taken or the code they’ve contributed to,” according to GitHub. This will continue over the course of the next year.
Those who will be selected will be notified via email and will also see an enrollment banner on GitHub.com. Once the notification starts, developers will have 45 days to set up their 2FA. There will be another one-week extension after this period, but the account access will be limited at that time, according to GitHub. With this, those who will be notified early of the new security requirement are advised to fix their 2FA as soon as possible.
On the other hand, the company encourages the contributors who will have the new requirement to opt for more secure 2FA methods instead of SMS.
“We strongly recommend the use of security keys and TOTPs wherever possible,” the blog reads. “SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B. The strongest methods widely available are those that support the WebAuthn secure authentication standard. These methods include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.”