GitHub will require all users who contribute code on the platform to use 2FA as part of its latest security improvements.
Attacks on the software supply chain are on the increase. GitHub, which has over 83 million code-contributing users, is stepping up to the plate to protect developers and the software supply chain with this major policy change announcement.
“At GitHub, we believe that our unique position as the home for all developers grants us both an opportunity and a responsibility to raise the bar for security across the software development ecosystem,” wrote Mike Hanley, Chief Security Officer at GitHub, in a blog post.
“While we are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of account compromise.”
GitHub committed to investing in npm account security after the compromise of accounts without 2FA enabled led to package takeovers.
“Compromised accounts can be used to steal private code or push malicious changes to that code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code,” explains Hanley.
“The potential for downstream impact to the broader software ecosystem and supply chain, as a result, is substantial.”
Today, only around 16.5 percent of active GitHub users and 6.44 percent of npm users use one or more forms of 2FA.
Previous efforts undertaken by GitHub to protect developers include seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.
Following the policy change announced today, GitHub will require all developer accounts to enable one or more forms of 2FA by the end of 2023.
We asked GitHub for a comment on why it decided on such a long transition period and this was the response:
“While we’re excited to improve 2FA adoption, we also recognise that security that isn’t usable isn’t meaningful security. Taking the time to deliver a seamless, accessible experience for developers helps us ensure a successful rollout and also serves to normalise 2FA as something that doesn’t have to be seen as inconvenient.
We believe the time and investment will allow us to make the experience even more delightful in service of our goal to improve adoption. We have also seen great success in a phased roll-out with our 2FA enforcement for npm. This has allowed us to ensure we are heading in the right direction, gather customer feedback, and adapt our approach as necessary.”
While it’s great to see GitHub recognising the risks of compromised accounts, many will still question the need for such a long delay in implementing the policy given the current heightened risks.
A growing number of services already require 2FA and we’re sure GitHub and its users could do the same by the end of this year to help prevent further attacks from compromised accounts.
Update: Added response from GitHub on the reasoning for the lengthy transition period.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.