GitHub’s 2FA rollout boosts supply chain security

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (

In a push to enhance the security of the software supply chain, GitHub has successfully rolled out mandatory two-factor authentication (2FA) for code contributors on its platform.

GitHub’s 2FA rollout – announced in May 2022 – aimed to address the critical first link in the software supply chain by securing the developers responsible for designing, building, and maintaining the software we all rely on.

The results are in

After a year of meticulous preparation, including extensive research and design efforts to optimise the user experience, GitHub has shared the results of the first phase of its 2FA enrollment drive:

  • 54% increase in 2FA adoption among all active contributors on GitHub, with an opt-in rate of nearly 95% across code contributors who received the 2FA requirement in 2023.
  • Significant adoption of more secure 2FA methods, such as passkeys. Since the public beta release of passkeys in July 2023, nearly 1.4 million passkeys have been registered on GitHub, rapidly overtaking other forms of WebAuthn-backed 2FA in day-to-day usage.
  • 25% reduction in the overall share of SMS as a second factor, as GitHub intentionally encouraged users to adopt more secure alternatives where possible.
  • 47% higher likelihood for users to configure two or more forms of 2FA, reducing the risk of account lockouts and providing a smoother, more reliable user experience.
  • One-third reduction in 2FA-related support tickets, attributed to the significant investments in user experience and design ahead of the rollout.
  • 54% reduction in 2FA account recovery support tickets requiring significant human intervention, thanks to workflow optimizations and automation.

GitHub’s transparency about its approach has inspired other organisations – such as RubyGems, PyPI, and AWS – to implement their own 2FA requirements, further strengthening the software supply chain’s security.

Looking ahead

While celebrating the initial achievements, GitHub acknowledges that securing the software ecosystem is an ongoing effort. The company is evaluating ways to require even more GitHub users to enroll in 2FA during 2024 while continuing to monitor and improve the user experience.

GitHub is also investigating additional account security features – such as session and token binding – to better manage the risk of account compromise, with or without 2FA. Furthermore, the platform aims to continue driving adoption of the most secure authentication factors available, such as passkeys or security keys, and assist developers in “moving up” to more secure authenticator types.

GitHub urges users to enable 2FA on their accounts, adopt passkeys, or require 2FA for their organisations, underscoring the collective responsibility in safeguarding the software supply chain.

(Photo by Praveen Thirumurugan)

See also: Fortifying app security with the help of Terraform

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *