GitHub to introduce two-factor authentication by 2023

The GitHub sign in screen on a smartphone
(Image credit: Shutterstock)

GitHub has announced that developers contributing code to its platform will be required to use two-factor authentication (2FA) by the end of 2023.

The move forms part of the Microsoft-owned company’s drive to make the software ecosystem more secure and improving individual account security.

RELATED RESOURCE

The truth about cyber security training

Stop ticking boxes. Start delivering real change.

FREE DOWNLOAD

Most security breaches involve lower-cost attacks such as social engineering or credential theft or leakage, GitHub says, which provide attackers with a broad range of access to victims’ accounts and their resources. Compromised accounts can then be used to steal private code or make malicious changes.

Currently, just 16.5% of active GitHub users use one or more forms of 2FA, which provides a powerful next line of defense in securing critical business systems.

Back in February, the company made 2FA mandatory for all maintainers of the top-100 packages on the NPM registry before March saw all NPM accounts automatically enrolled in enhanced login verification.

From May 31, it will be mandatory for all maintainers of the top-500 packages to use 2FA, with maintainers of high-impact packages to follow suit in Q3 of this year.

“At GitHub, we believe that our unique position as the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem,” explained Mike Hanley, GitHub’s Chief Security Officer, in a blog post.

“While we are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of account compromise.”

GitHub said this push with NPM packages will help enable it to realise its wider drive to implement mandatory 2FA across its whole platform by 2023.

“GitHub is committed to making sure that strong account security doesn’t come at the expense of a great experience for developers, and our end of 2023 target gives us the opportunity to optimize for this,” Hanley said.

“As standards evolve, we’ll continue to actively explore new ways of securely authenticating users, including passwordless authentication.”

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.