GitHub will require all code contributors to use two-factor authentication

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.

The new policy was announced Wednesday in a blog post by GitHub’s chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform’s role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers’ accounts.

“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

Even though multi-factor authentication provides significant additional protection to online accounts, GitHub’s internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts — a surprisingly low figure given that the platform’s user base should be aware of the risks of password-only protection.

By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge.

“GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective,” Hanley said. “We feel like it’s really one of the best ecosystem-wide benefits that we can provide, and we’re committed to making sure that we work through any of the challenges or obstacles to making sure that there’s successful adoption.”

GitHub has already established a precedent for the mandatory use of 2FA with a smaller subset of platform users, having trialled it with contributors to popular JavaScript libraries distributed through the package management software NPM. Since widely used NPM packages can be downloaded millions of times per week, they make a very attractive target for malware gangs. In some cases, hackers compromised NPM contributor accounts and used them to publish software updates that installed password stealers and crypto miners.

In response, GitHub made two-factor authentication mandatory for the maintainers of the 100 most popular NPM packages as of February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.

Insights from this smaller trial will be used to smooth out the process of rolling out 2FA across the platform, Hanley said. “I think we have a great benefit of the fact that we’ve already done this now on NPM,” he said. “We have learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities that we’ve talked to, and we had a very active dialog about what good [practice] looks like with them.”

Broadly speaking, this means setting a long lead time for making the use of 2FA mandatory site-wide, and designing a range of onboarding flows to nudge users towards adoption well before the 2024 deadline, Hanley said.

Securing open-source software is still a pressing concern for the software industry, particularly after last year’s log4j vulnerability. But while GitHub’s new policy will mitigate against some threats, systemic challenges remain: many open source software projects are still maintained by unpaid volunteers, and closing the funding gap has been seen as a major problem for the tech industry as a whole.

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.

The new policy was announced Wednesday in a blog post by GitHub’s chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform’s role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers’ accounts.

“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

Even though multi-factor authentication provides significant additional protection to online accounts, GitHub’s internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts — a surprisingly low figure given that the platform’s user base should be aware of the risks of password-only protection.

By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge.

“GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective,” Hanley said. “We feel like it’s really one of the best ecosystem-wide benefits that we can provide, and we’re committed to making sure that we work through any of the challenges or obstacles to making sure that there’s successful adoption.”

GitHub has already established a precedent for the mandatory use of 2FA with a smaller subset of platform users, having trialled it with contributors to popular JavaScript libraries distributed through the package management software NPM. Since widely used NPM packages can be downloaded millions of times per week, they make a very attractive target for malware gangs. In some cases, hackers compromised NPM contributor accounts and used them to publish software updates that installed password stealers and crypto miners.

In response, GitHub made two-factor authentication mandatory for the maintainers of the 100 most popular NPM packages as of February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.

Insights from this smaller trial will be used to smooth out the process of rolling out 2FA across the platform, Hanley said. “I think we have a great benefit of the fact that we’ve already done this now on NPM,” he said. “We have learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities that we’ve talked to, and we had a very active dialog about what good [practice] looks like with them.”

Broadly speaking, this means setting a long lead time for making the use of 2FA mandatory site-wide, and designing a range of onboarding flows to nudge users towards adoption well before the 2024 deadline, Hanley said.

Securing open-source software is still a pressing concern for the software industry, particularly after last year’s log4j vulnerability. But while GitHub’s new policy will mitigate against some threats, systemic challenges remain: many open source software projects are still maintained by unpaid volunteers, and closing the funding gap has been seen as a major problem for the tech industry as a whole.