The software supply concatenation starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and near disquisitional step toward securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security central support, and enrolling all npm publishers in enhanced login verification. Today, as part of a platform-broad effort to secure the software ecosystem through improving business relationship security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.
GitHub will require all users who contribute code on GitHub.com to enable i or more than forms of 2-factor authentication (2FA) by the cease of 2023.
GitHub is committed to making certain that strong account security doesn’t come at the expense of a great experience for developers, and our finish of 2023 target gives us the opportunity to optimize for this. Equally standards evolve, we’ll continue to actively explore new ways of securely authenticating users, including passwordless hallmark. Developers everywhere tin can expect more options for authentication and account recovery, forth with improvements that help forbid and recover from business relationship compromise.
Why business relationship security and 2FA matter
In November 2021, GitHub committed to new investments in npm account security in the wake of npm package takeovers resulting from the compromise of developer accounts without 2FA enabled. Nosotros go on to introduce improvements to npm account security, and are equally committed to securing the accounts of developers using GitHub.
Nigh security breaches are non the product of exotic zero-day attacks, but rather involve lower-cost attacks like social applied science, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they take access to. Compromised accounts can exist used to steal private code or push malicious changes to that lawmaking. This places not only the individuals and organizations associated with the compromised accounts at chance, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain every bit a result is substantial.
The all-time defense against this is moving beyond basic password-based authentication. We have already taken steps in this direction by deprecating basic hallmark for git operations and our API and requiring email based device verification, in add-on to a username and password. 2FA is a powerful next line of defense; however, despite demonstrated success, 2FA adoption across the software ecosystem remains low overall. Today, but approximately 16.5% of agile GitHub users and 6.44% of npm users apply ane or more forms of 2FA.
At GitHub, we believe that our unique position equally the home for all developers means that we have both an opportunity and a responsibility to raise the bar for security across the software development ecosystem. While nosotros are investing deeply across our platform and the broader industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if nosotros do not accost the ongoing risk of account compromise. Our response to this challenge continues today with our commitment to bulldoze improved supply chain security through safety practices for individual developers.
Get Started Today
Want to get a head outset? We recently launched 2FA for GitHub Mobile on iOS and Android! Click here to learn how to configure GitHub Mobile 2FA today. To configure Mobile 2FA, you’ll need to have at least one other form of 2FA enabled. Expand the drop-down below to learn more.
Looking for a phishing-resistant WebAuthn security fundamental experience or other options?
You lot tin go started hither. To back up adoption of security keys we’ve distributed security keys, like YubiKey, to critical open source project maintainers and stocked security keys in the GitHub Shop. SoloKeys or Titan Security Keys are also great options.
More documentation on GitHub.com 2FA is available hither. To configure 2FA for npm accounts, cheque this out.
Don’t forget to save your recovery codes and configure one or more account recovery methods as well!
Organizations and Enterprises
GitHub.com system and enterprise owners can also require 2FA for members of their organizations and enterprises. Notation that organization and enterprise members and owners who practise non use 2FA will be removed from the organisation or enterprise when these settings are enabled.
Over the coming months, nosotros’ll share more than details and timelines for hereafter 2FA requirements for GitHub.com users. While nosotros strongly believe 2FA for active contributors (for example, those who commit code, open or merge pull requests, utilize Actions, or publish packages) is the right thing to do, we also want to ensure a smooth and attainable experience, and then look out for future improvements and new features designed to help you secure and recover your accounts.