GitHub requires two-factor authentication for all accounts!

GitHub has announced that before 2023, all developers who use the GitHub platform to store code and make contributions will need to enable one or more forms of two-factor authentication (2FA), otherwise they will not be able to use the platform normally.

GitHub explained that most security vulnerabilities do not come from very complex attacks or zero-day vulnerabilities. Instead, they are often low-cost attacks such as social engineering, password leaks, and other attacks that provide attackers with access to victim accounts. Compromised accounts can be used to steal private code or make malicious changes to the code, affecting application users. The impact on the broader software ecosystem and downstream of the supply chain is huge.

GitHub said that the starting point of the software supply chain is the developer. Developer accounts are often the target of social engineering and account takeover. Protecting developers from these types of attacks is the first and most critical step in protecting the security of the supply chain.

According to the GitHub blog, in November 2021, many npm packages were taken over due to hacking of developer accounts that did not enable 2FA. There are also media reports that 99.9% of Microsoft accounts that have been hacked did not have 2FA enabled.

GitHub said the best way to prevent low-cost attacks is to go beyond password-based authentication. Currently, GitHub requires email-based device verification in addition to username and password login. Now, 2FA will be the next line of defense.

Although 2FA has been proven effective in many scenarios, its adoption rate in the entire software ecosystem is still low. According to GitHub internal research, 16.5% of developers have enabled enhanced security measures for their accounts, which is only one-sixth of them. In addition, only 6.44% of npm users have enabled 2FA.

GitHub recently launched 2FA for GitHub Mobile on iOS and Android. Developers who want to configure GitHub Mobile 2FA can learn how to do so in a January 2022 GitHub blog post. GitHub hopes to provide more options for secure authentication and account recovery, making it less likely that information will be compromised from your account.

It is reported that the requirement for two-factor authentication will affect 83 million users of the GitHub platform, but GitHub said it can "ensure the user experience of developers."

GitHub enrolled all maintainers of the top 100 packages in the NPM registry to mandatory 2FA in February, and enrolled all NPM accounts to enhanced login verification in March.

The company said all maintainers of the first 500 packages will be onboarded to mandatory 2FA on May 31. Maintainers of high-impact NPM packages with more than 500 dependents or more than 1 million weekly downloads will be onboarded to 2FA in the third quarter of this year.