GitHub will require two-factor authentication for all developers contributing code to a project on the platform. With this step, owner Microsoft wants to strengthen the software supply chain.

In May last year, GitHub stated that 2FA would be mandatory by the end of 2023. In reality, the process started much earlier. For example, last year the schema became mandatory for the top 100 packages and other so-called “high impact” GitHub users. These are the packs with over a million weekly downloads.

With around 100 million developers, GitHub is an important part of the global software supply chain. If an attacker manages to break into a software developer’s account, they can gain access to any device running the developer’s code. Because GitHub is so widely used, a developer account breach can have a huge attack surface.

Focus on security after high-profile attacks

After a series of high-profile attacks in recent years, such as the SolarWinds breach in 2020, software security is high on the political agenda worldwide. This has prompted software development companies like GitHub to place higher demands on their users.

Like GitHub, other platforms have adopted similar rules. For example, since last August, RubyGems has required multi-factor authentication for owners of gems (packages) with more than 180 million downloads. The Python Packaging Index also made two-factor authentication mandatory for every project in the top 1 percent of downloads last year.

Who requires two-factor authentication?

GitHub’s new policy will be rolled out gradually. Developers who regularly contribute code are the first to be asked to protect their accounts. Accounts scheduled to set up 2FA will be notified via email. You then have 45 days to secure your account.

GitHub does not provide any specific criteria according to which users should first enable two-factor authentication. According to The Register, the following types of users should increase their account security in the coming months:

• Users who published GitHub or OAuth apps, actions, or packages
• Users who created a version
• Users who are company and organization administrators
• Users who have contributed code to repositories classified as critical by npm, OpenSFF, PyPI, or RubyGems
• Users who have contributed code to the estimated four million public and private repositories

After 45 days, account holders will need to set up 2FA to access the platform. GitHub users are offered various methods to secure their account such as: B. TOTP, SMS, security key or GitHub Mobile. It is also possible to add an additional authentication method to further protect an account.