In an effort to further secure developer accounts and code hosted on its platform, GitHub has announced that its users will be required to sign up for two-factor authentication (2FA) by the end of next year.
Specifically, anyone who contributes code on the Microsoft-owned platform will need to enable one or more forms of 2FA.
According to a new blog post from GitHub Director of Security Mike Hanley, the software supply chain begins with developers, and developer accounts are frequently targeted by social engineering and account takeover. By protecting developers from these types of attacks, the company is taking the first and most important step towards securing the software supply chain.
Going forward, GitHub plans to explore new ways to securely authenticate its users, including passwordless authentication. In fact, last year the company added the ability to use security keys for authentication as part of its effort to move toward a passwordless future.
Securing the software supply chain
In November last year, GitHub committed to new investments in npm account security following npm package takeovers resulting from developer accounts without 2FA enabled being compromised.
Although zero-day vulnerabilities get a lot of attention online, low-cost attacks such as social engineering, credential theft, or data leaks are actually responsible for most vulnerabilities. security.
Compromised accounts on GitHub can be used to steal private code or even make malicious changes to that code. Unfortunately, not only the individuals and their organizations associated with these compromised accounts are at risk, but also all users of the affected code.
The best defense against compromised user accounts is to go beyond basic password-based authentication. However, only 16.5% of all active GitHub users today and 6.44% of npm users use one or more forms of 2FA.
GitHub users have plenty of time to prepare for this change, and the company recently launched 2FA for GitHub mobile on iOS and Android. Those interested in learning how to set up GitHub Mobile 2FA can check out this support document to get started.