GitHub has announced that it will soon implement the mandatory use of two-factor authentication (2FA) for developer accounts.
The software development platform will initially send out emails to small groups of administrators and developers, notifying them of the change to their accounts, before its entire 100 million user base finally signs up for 2FA by the end of the year.
"GitHub has designed a deployment process aimed at minimizing unplanned downtime and lost user productivity and avoiding account lockouts," said Hirsch Singhal, staff product manager, and Laura Paine, director of marketing for GitHub. products, in a joint blog post (opens in a new tab) on the company's website. put.
Strengthen security
"Groups of users will be invited to enable 2FA over time, with each group selected based on the actions they've taken or the code they've contributed."
Once a user receives the 2FA email, they have 45 days to set it up in their account.
If users still haven't enabled it after this point, they will be locked out of all functionality in their account until they've set up 2FA. However, to avoid surprises, GitHub will keep users updated on how much time they have left.
GitHub previously announced in May and December 2022 that 2FA would be available soon, and to better prepare its users, it also published a guide on how to set up 2FA (opens in a new tab) and how to recover (opens in a new tab). your account if you lose your 2FA device.
2FA is a type of multi-factor authentication, an extra layer of security to ensure that you are the one accessing your account with your username and password. A code is sent to another of your devices, usually your smartphone, which you enter after entering your login details to authenticate your identity.
For most services that use 2FA, the code can be sent via SMS or an authenticator app. On top of that, GitHub will also support 2FA via physical security keys and its own GitHub iOS and Android mobile apps.
However, GitHub does not recommend users to opt for SMS 2FA, as it is less secure than other ways, since messages can be intercepted and generated auth tokens can be stolen.
The decision to implement 2FA follows recent efforts by GitHub to make its service more secure. Authentication of Git operations via a user's account password was revoked (opens in a new tab) in 2019, instead requiring the use of authentication tokens as SSH keys, which could then be used. further protect yourself with security keys starting in 2021(opens in a new tab) ).