GitHub announces that it is introducing new rules regarding security and two-factor authentication (2FA). By the end of 2023, all users contributing code to the platform will be required to enable two-factor authentication on their accounts.
Platform representatives write that GitHub is “the home of all developers” and is in a unique position that allows it to “raise the bar for security in the software development ecosystem.”
With supply chain attacks on the rise lately, GitHub has made the decision to make 2FA mandatory by the end of 2023 to ensure the best possible security for all developer accounts on GitHub.com and prevent other repositories from being hacked.
The new rules will apply to all active contributors, including GitHub users who commit code, use Actions, use pull requests, and publish packages. Developers will be able to use one or more two-factor authentication options, including hardware and virtual security keys (including those built into devices such as phones and laptops), as well as TOTP applications and SMS messages. However, GitHub does not recommend using the latter option, since bypassing or stealing authentication tokens from SMS is not so difficult.
According to official statistics, currently, only 16.5% of active GitHub users and 6.44% of npm users use 2FA in some form.