The time has come: GitHub expands 2FA requirement rollout March 13

  News, Security
image_pdfimage_print
A GitHub-made image accompanying all the company's communications about 2FA.
Enlarge / A GitHub-made image accompanying all the company’s communications about 2FA.

Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13. That mandate will extend to all developers who contribute code on GitHub.com by the end of 2023.

GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company’s chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.

When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FA—far lower than you’d expect from technologists who ought to know the value of it.

In December, GitHub laid out the details of the plan that goes into effect for more people in a few days. The company will identify specific subsets of users required to jump on the bandwagon first, such as enterprise and organization members, users who contributed code to critical repositories, and so on.

Those users receive periodic reminders within the product and via email 45 days before the requirement takes effect. Starting on their first login after the 2FA deadline, they get daily reminders to enable 2FA. If they still have not done so seven days after that, they will be unable to access most GitHub features until they do. Twenty-eight days after that, GitHub will initiate a “2FA check-up” to ensure that it’s working correctly and that the user can still access their account.

Over the course of 2023, more and more accounts will be brought into this process, with all contributing developer accounts included by the end of the year, GitHub says.

This is not the introduction of 2FA for GitHub accounts. Users have long been able to opt in to 2FA for their individual accounts, and enterprise organizations have been able to require 2FA from all members for a while.

GitHub has been gradually rolling out the requirement to specific types of users over the past several months as well. For example, it announced in December that “maintainers of packages with more than 1 million weekly downloads or more than 500 dependents” would have to enable 2FA. Before that, it required 2FA for contributors to JavaScript libraries distributed via NPM.

If you’re a GitHub user, you’ll have to watch for an email or in-app notification letting you know when your ticket is up.

https://arstechnica.com/?p=1923288