GitHub will require all users who contribute code to the platform to enable two-factor authentication (2FA) as an additional protective measure on their accounts by the end of 2023.

Two-factor authentication increases account security by introducing an additional step in the login process that requires entering a one-time code.

For GitHub users, account takeovers can lead to the introduction of malicious code for supply chain attacks which, depending on the popularity of the project, can have a massive impact.

Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from the repositories.

Earlier this year, the software hosting and collaboration platform announced a similar decision that affected active developers of high impact projects with over 1 million downloads/week or over 500 dependents.

Today, the 2FA requirement is extended to the entire user base, covering approximately 83 million users.

While GitHub had announced this decision previouslyhe has now shared more details on how he will implement the new measure.

Deployment of the 2FA requirement

GitHub will roll out mandatory 2FA to all GitHub accounts starting in March 2023, initially pushing it to select groups of contributors.

Rollout of the feature will be evaluated before expanding to larger groups, measuring onboarding rates, account lockout and recovery, and support ticket volumes.

GitHub says the pool of larger groups will be built using the following criteria:

  • Users who published GitHub or OAuth apps or packages
  • Users who created a version
  • Enterprise and organization administrator users
  • Users who have contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
  • Users who have contributed code to the top four million public and private repositories

Those who receive notice to activate 2FA via email will be given 45 days to do so.

Once the deadline is reached, users will start seeing a prompt to enable 2FA on GitHub for another week, and if they don’t take action, they won’t be able to access GitHub features.

“This one-week snooze period only starts when you log in after the deadline, so if you’re on vacation, don’t worry – you won’t be locked back to GitHub.com,” says the announcement.

Twenty-eight days after activating 2FA, users will undergo a mandatory verification to confirm that the new security configuration is working as intended while allowing users to reconfigure their 2FA settings and recover lost codes.


Source link