All GitHub Users Will Need to Enable 2FA by the End of 2023
The Measure Is Meant to Protect Users from Identity Theft and Increase their Trust in the Integrity of the Code.
GitHub recently announced that it will require all users who contribute with code on the platform to enable two-factor authentification over the course of 2023.
Two-factor authentication (2FA) makes accounts safer by adding an extra step that requires entering a one-time code during the login process.
Takeovers of user accounts on GitHub can result in the insertion of malicious code for supply chain attacks, that, depending on the popularity of the project, could have repercussions that go far beyond the initial target.
Adopting two-factor authentication (2FA) as a mandatory security precaution for all GitHub accounts will make the site more secure and increase the users’ trust in the integrity of the code they download from repositories, explains Bleeping Computer.
To better protect developers from account theft, we announced our intention to require all developers who contribute code on GitHub.com to enable one or more forms of 2FA by the end of 2023.
Beginning in March 2023, we’ll start requiring distinct groups of users to enable 2FA over time. This will allow us to learn about the efficacy of the rollout and make adjustments as needed before we scale to larger groups as 2023 progresses.
The 2FA Rollout Process
From March 2023 on, GitHub will require 2FA for all its users, beginning with a small groups of early contributors. These groups are picked using the following criteria with an emphasis on the impact to the security of the broader ecosystem:
- Users who published GitHub or OAuth apps or packages;
- Users who created a release;
- Users who are Enterprise and Organization administrators;
- Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems;
- Users who contributed code to the approximate top four million public and private repositories.
Those who are notified through email to activate 2FA will have 45 days to do so. If users failed to enable 2FA by the deadline, they will be banned from using GitHub’s features for a week.
GitHub’s complete announcement is available here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.