In an effort to further protect developer accounts and code hosted on its platform, GitHub has announced that its users will be required to sign up for two-factor authentication (2FA) by the end of next year.
Specifically, anyone who contributes code on the Microsoft-owned platform will need to enable one or more forms of 2FA.
According to a new blog post from GitHub Security Director Mike Hanley, the software supply chain begins with developers, and developer accounts are often the target of social engineering and account takeover. By protecting developers from these types of attacks, the company is taking the first and most important step in securing the software supply chain.
In the future, GitHub plans to explore new ways to securely authenticate its users, including passwordless authentication. In fact, last year the company added the ability to use security keys for authentication as part of its effort to move toward a passwordless future.
Securing the software supply chain
In November of last year, GitHub committed to new investments in npm account security following npm package takeovers as a result of developer accounts without 2FA enabled being compromised.
Although zero-day vulnerabilities get a lot of attention online, low-cost attacks like social engineering, credential theft, or data leaks are actually responsible for the majority of security vulnerabilities.
Compromised accounts on GitHub can be used to steal private code or even make malicious changes to that code. Unfortunately, not only the people and their organizations associated with these compromised accounts are at risk, but also all users of the affected code.
The best defense against compromised user accounts is to go beyond basic password-based authentication. However, only 16,5% of all active GitHub users today and 6,44% of npm users use one or more forms of 2FA.
GitHub users have plenty of time to prepare for this change, and the company recently released 2FA for GitHub mobile on iOS and Android. Those interested in learning how to set up GitHub Mobile 2FA can refer to this support document to get started.